System and Organisation Control (SOC)

System and Organisation Controls (SOC) - Report Attestation Services

Securely manage customer’s data to protect the interests of the organisation and the privacy of your clients

Securely manage customer’s data to protect the interests of the organisation and the privacy of your clients

What is System and ORGANISATION Control (SOC)?

SOC is a voluntary compliance standard for service organisations, developed by the American Institute of Certified Public Accountants (AICPA), which specifies how organisations should manage customer data. SOC is an auditing procedure that ensures service providers securely manage customers’ data to protect the interests of organization and the privacy of its clients. For security-conscious businesses, SOC compliance is a minimal requirement when considering an organisation providing services e.g. SaaS provider.

What is a SOC Report?

Previously known as SSAE16 and SAS70 report, System and Organisation Controls (SOC) reports, help organisations to establish trust and confidence in their services or products, including their delivery processes and controls. To receive a report from a certified public accountant (CPA), an organisation must undergo assessment/s performed by an independent third-party and subsequently the report be attested by a CPA.




In today’s world customers, regulators, and business partners are becoming increasingly concerned about how their data is being properly protected by the service provider organisations. On the other hand, these service organisations have been facing growing challenge of demonstrating data security through multiple standards & various reporting frameworks to respond to their customers. 


A comprehensive approach through CPA (Certified Public Account) attested SOC Reports,offers the below advantages:

  • Gain competitive advantage - and provide confidence to your stakeholders and customers on maintaining the highest standards for information security
  • Increase trust and transparency towards stakeholders - to meetcontractual requirements and concerns
  • Address risks proactively - and reduce compliance costs and drive control maturity within your organisation

Types of SOC Reporting


SOC 1®

SOC 1 Reports are designed for organisations that provide services for their clients which has relevance to the users’ financial controls. A common example of this type of reporting includes payroll processors and medical claims processors. This report can save an organisation's time and money by addressing various common control-related questions that arise from multiple user auditors. 

SOC 2®

SOC 2 report is intended to the use and reference of the Management of the Service Organization, User Entities, User Entity’s Auditor and Regulators. SOC 2 reports are designed for organisations that provide information to user entities about non-financial controls. The report outlines effectiveness of an organisation's internal and security controls implemented to safeguard customer data. The controls are reviewed against the AICPA’s 5 Trust Service Principles including Security, Availability, Confidentiality, Processing Integrity, and Privacy. Few examples of this type of report include third party service providers - Human Resource Management Service Providers, Document Management Service Providers, and Cloud Computing Service Providers). This report gives your organisation a competitive edge over others who cannot prove their SOC2 Compliance. Further, these reports provide valuable insights about an organisation's internal controls and safeguards. 

SOC 3®


Designed for organisations that provide information to user entities about non-financial controls, addressing the same controls as SOC 2 reports. However, the details in this report contain significantly less information with no description of tests of controls. This report is available for the use of the public and for wider distribution for the purpose of marketing. They are made available to the public at the discretion of the management of the organisation. After successful completion of the assessment, the auditor (Certified Public Accountant i.e. CPA) provides a formal, structured assurance report which can be shared with organisation's clients and other interested parties.


HOW TO GET SOC (Type 1/ Type 2) Reports?

Choosing the kind of SOC report is one step, whereas choosing the reporting type is the next crucial step. This step is extremely crucial and important as there is a big difference between the two report type. The key distinctions between the two reports is that while one addresses controls of a specific date
(Type 1) the other addresses controls over a specified time period (Type 2).

For Type 1 assessments the assessor will only check the adequacy of controls to be implemented by the customer. The effectiveness of the implementation is to be checked during a Type 2 assessment. If any deviation is found, the assessed company must react on the findings by closing them or providing management acceptance. It is also important to note that the Type 1 and Type 2 reports are terminology for SOC 1 and SOC 2 reports. TÜV SÜD is currently providing SOC 2 and SOC 3 report attestation services.

What are the Components of a SOC REPORTS?

Section 1 - Auditor’s Report
Section 2 - Management Assertion
Section 3 - System Description
Section 4 - Description of Criteria
Section 5 - Other Information (optional)


By choosing TÜV SÜD, you partner with a team of experts who help you manage risks and access global markets through a portfolio of technical solutions:

1. 150+ years of safety, security, and sustainability.
2. 1000+ locations worldwide.
3. End-to-end solutions across the business lifecycle.
4. Cross-industry experience with key customer segments including chemicals, consumer products and retail, energy, healthcare and medical devices, infrastructure and rail, manufacturing, mobility and automotive, and real estate.
5. A global network of multidisciplinary experts, accredited laboratories, and offices.
6. Proactive approach towards future developments and megatrends.


ISO IEC 27001
White paper

ISO/IEC 27001 Whitepaper

Implement an Information Security Management System according to ISO / IEC 27001

Learn More


Next Steps

Site Selector