XMission's Company Journal

Does Your Organization Need SOC 1 or SOC 2? – Updated!

PLEASE NOTE: This article contains outdated information. XMission is no longer HIPAA or SSAE 16 compliant. Please visit our SOC2 compliance page to learn about our recent certifications.

What is SOC 1 (SSAE 16)?
Not so many years ago, publicly traded businesses typically would conduct annual SAS 70 audits and feel content, knowing that an external auditor determined that their ducks were in a row. If they relied on a vendor in ways that might measurably affect their own internal controls over financial reporting (e.g., their bottom line), then they would choose a vendor who also produced an SAS 70 audit each year. Created by the American Institute of Certified Public Accountants (AICPA) in 1993, and based on earlier versions of service auditor reporting, SAS 70 was evidence that an organization was audited by a qualified third party to ensure that valid internal controls were in place to protect against threats like corruption and risk. Of course, all things change and in June of 2011 SAS 70 was replaced with SSAE 16 (Service Auditors to the Statements on Standards for Attestation Engagements No. 16). Also known as SOC 1, these Service Organization Controls are very similar to what was contained in SAS 70. As a result, companies which conducted SAS 70 audits in the past have simply switched over to SOC 1. Well, it’s not quite so simple though. As IT has changed the nature of business and how we conduct business, the need for a third party auditor to scrutinize the inner workings of an organization has grown.

How about SOC 2?
To better address the diverse needs of different entities, the AICPA created SOC 2. The official determining factor when choosing between SOC 1 and SOC 2 is whether or not an organization’s controls would affect their clients’ internal control over financial reporting. In layman’s terms, SOC 2 focuses on important policies and procedures not directly tied to revenue. SOC 2 was crafted to address the needs and concerns of a world where hackers and neer-do-wells from anywhere on the globe peck around to steal financial and computing resources, as well as personal information. As a result, a SOC 2 report focuses on at least one of these five principles:

  • Security: The system is protected against both physical and logical unauthorized access.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the CICA.

Which one should you choose for your enterprise?
So, which is best for your organization and what should you require of vendors you rely upon? It really depends on your particular situation. If you’re publicly traded, then SOX already requires SOC 1. If you’re a privately held start-up which relies on IT infrastructure to conduct your business, then SOC 2 might be the better route for you to take, with a focus on security and availability to ensure that everything is secure and always up as you focus on growth and seek private investors.

In some circumstances, a business might determine that a combination of both SOC 1 and SOC 2 are necessary to ensure the broad range of their controls are effective. I think we’ll be seeing more of that in the next few years as businesses seek to meet the demands of their various stakeholders. If you process a lot of credit card transactions then you might already be required by your merchant bank to pass PCI DSS, which requires an entity to adhere to a broad range of IT best practices and includes vulnerability scanning to verify if your servers associated with credit card transactions are up to date and secure. In many cases, that’s a good combination. For example, XMission conducts annual SOC 1 audits with A-lign, a reputable CPA firm, and maintains PCI DSS compliancy with the most rigorous SAQ (Self-Assessment Questionnaire) validation, Type 5: SAQ v2 D. As a colocation and cloud hosting provider, among other things, this complementary blend enables us to cover a broader range of controls than either do alone so we can meet the requirements of our diverse customer base.

2017 Update: SOC 1 Vs SOC 2
I wrote this article over three years ago and since it’s quite popular thought I’d update it with a short addendum since I’m seeing a change in the audit landscape. Most significantly, businesses are finally learning and asking about SOC 2.

What should you do for your enterprise? Moreso now than when I originally wrote this post back in 2013 I think SOC 2 is very relevant if your organization deals with data that requires privacy and/or security. SOC 2 does a fine job of requiring best practices which can help you ensure the best policies and procedures are established and regularly followed.

I actually held off on adding SOC 2 audits for XMission until 2016 since existing and potential customers were not asking for it and adding the audit required a vast amount of additional work, especially in the first year. As a Colocation and hosting provider, SOC 2 makes a lot of sense for XMission so I was happy to finally add it to our quiver of audits and certifications. I’m also pleased to report that our customers are showing more interest in it, which is how I justified it to the company president since additional staffing resources were required to successfully perform and pass the audit.

XMission’s current certifications
SOC 2 Certified
PCI DSS SAQ Certified
Energy Star Certified

Looking for a hosting provider who can help you meet your organization’s auditing requirements? Contact XMission today.


, , , ,

Comments are currently closed.

2 thoughts on “Does Your Organization Need SOC 1 or SOC 2? – Updated!

  • Dana Chardon says:


    In regards to your comment stating “If you’re publicly traded, then SOX already requires SOC 1.”, I believe what you mean is that by obtaining SOX compliance you are by default SOC1 compliant…correct?

    In other words, SOX does not in fact require you to separately and distinctly obtain SOC1 compliance in order to be compliant with SOX.

    Just wanted to clarify my understanding please.

  • Grant Sperry says:

    Dana, I’m sorry I wasn’t more clear. SOX (Sarbanes–Oxley Act) is a set of US government standards which requires publicly traded companies to perform a SOC 1 (e.g., SSAE 16) audit annually. In other words, SOX regulations include requirements for a SOC 1 audit. Many of our customers who are interested in our SOC 1 status are publicly traded. The rest have security and/or privacy concerns.