What is a SOC 1?

SOC 1’s are intended to discuss the internal controls for financial reporting (ICFR). Think about it this way, if your service has an impact on the financial statements of your customers, then you will likely be looking at a SOC 1. But those financial related controls aren’t the only thing that might be in the report. You may find that you also need to report on some of the things you would find in a SOC 2, like security, confidentiality, etc. Those can be incorporated as well because, in SOC 1, you define the Control Objectives.

What is a SOC 3?

A SOC 3 report is a general use report that can be made publicly available. A SOC 3 report does not include the full system description (section 3) or the description of service auditors’ tests of controls and the results thereof (section 4). Distribution of a SOC 2 report for marketing purposes is ill-advised as section 3 and section 4 contains sensitive information about the system and results of control design or operating effectiveness. This is why SOC 2 reports are considered restricted-use reports. SOC 3 reports can be posted on the company website and include limited information about the system and results of the examination.

ByteChek's platform helps companies of all sizes establish security programs, automate cybersecurity readiness assessments, and complete cyber security assessments faster – all from a single platform.

With ByteChek, companies can quickly build their information security policy from the ground up utilizing the ByteChek information security policy generator. The ByteChek platform then connects with the applications companies use every day to eliminate evidence collection and vague auditor requests.