Do I need SOC 1 or SOC 2?

It depends on what your service does for the customer. If your service affects a client's financial statements, for example payroll, billing, claims, or transaction processing, your clients' auditors will likely ask for SOC 1. If you hold or process customer data and your customers care about how you protect it, you need SOC 2. Some organizations are asked for both because they do both: they affect financial reporting and they hold sensitive data.

Can a company have both SOC 1 and SOC 2?

Yes. They are separate reports with different scopes, so a service organization can hold both. A payroll platform, for example, may produce a SOC 1 for its clients' financial-statement auditors and a SOC 2 for the security teams evaluating it as a vendor. The control sets overlap in places, so the same evidence can often support both reports.

Is SOC 1 or SOC 2 a certification?

Neither is a certification. Both are attestation reports: a licensed CPA firm examines your controls and issues an opinion. There is no pass or fail badge the way there is with an ISO 27001 certificate. What you share with a client or prospect is the report itself, including the auditor's opinion and, in a Type 2, the test results.

What are the five SOC 2 Trust Services Criteria?

Security, availability, processing integrity, confidentiality, and privacy. Security, also called the common criteria, is required in every SOC 2. The other four are included only if they are relevant to the service you provide and the commitments you make to customers. SOC 1 does not use the Trust Services Criteria; it uses control objectives defined around financial reporting.

Compliance guide

SOC 1 vs SOC 2: which report your buyers are actually asking for

Q: What is the difference between SOC 1 and SOC 2?

SOC 1 reports on controls at your organization that are relevant to your clients' internal control over financial reporting. SOC 2 reports on controls measured against the AICPA Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. SOC 1 answers a financial-audit question; SOC 2 answers a data-trust question. Both are SOC for Service Organizations reports issued by a CPA firm under SSAE 18.

Q: What is the difference between Type 1 and Type 2?

This applies to both SOC 1 and SOC 2. A Type 1 reports on whether controls are suitably designed at a single point in time. A Type 2 reports on whether those controls also operated effectively over a period, commonly three to twelve months. Enterprise buyers usually want a Type 2 because it shows the controls worked over time, not just on paper.

SOC 1 vs SOC 2 explained in plain terms. SOC 1 covers controls that affect your clients' financial reporting; SOC 2 covers the AICPA Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. Includes a side-by-side comparison and how to know which report you need.

See SOC 2 software Get the SOC 2 checklist

The short version

SOC 1 vs SOC 2, defined

SOC 1 and SOC 2 are both SOC for Service Organizations reports, issued by a CPA firm under the AICPA standard SSAE 18. The difference is what they measure. A SOC 1 report covers controls at a service organization that are relevant to its clients' internal control over financial reporting (ICFR). It exists for your clients' financial-statement auditors, so it is the report payroll, billing, claims, and transaction processors are asked for. A SOC 2 report covers controls measured against the AICPA Trust Services Criteria, security, availability, processing integrity, confidentiality, and privacy. It exists for the security and risk teams that vet you as a vendor, so it is the report SaaS, cloud, and technology companies are asked for. Both come in Type 1, which assesses the design of controls at a point in time, and Type 2, which assesses whether the controls operated effectively over a period.

Updated June 2026. A plain-language guide, not legal or audit advice.

SOC 1 vs SOC 2, side by side

Same family of report, different question. Use this to match the request on your desk to the right examination.

Dimension	SOC 1	SOC 2
What it reports on	Controls at a service organization that are relevant to its clients' internal control over financial reporting (ICFR).	Controls relevant to the AICPA Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
Standard it is performed under	SSAE 18 (AT-C 320), the attestation standard for reporting on controls at a service organization.	SSAE 18 (AT-C 105 and AT-C 205) measured against the AICPA Trust Services Criteria.
Primary audience	Your clients' financial-statement auditors and finance teams.	Your customers' security, risk, and procurement teams.
Who typically needs it	Payroll processors, financial and transaction processors, claims and lending platforms, and other providers that touch a client's numbers.	SaaS, cloud, hosting, data, and technology vendors that hold or process customer data.
Who asks you for it	A client's external auditor, who needs to assess controls at your organization as part of auditing the client's financial statements.	A prospect or customer during security review and vendor due diligence, often before they will sign.
What the report contains	An auditor's opinion, a description of the system, and the control objectives and controls relevant to financial reporting, plus test results in a Type 2.	An auditor's opinion, a description of the system, the applicable Trust Services Criteria and related controls, plus test results in a Type 2.
Distribution	Restricted-use: shared with the client and the client's auditors, not for general marketing.	Restricted-use, but routinely shared under NDA with prospects and customers as a trust artifact.
Type 1 and Type 2	Available as Type 1 (design at a point in time) or Type 2 (operating effectiveness over a period).	Available as Type 1 (design at a point in time) or Type 2 (operating effectiveness over a period).

What SOC 1 is for

SOC 1 exists because your service can affect someone else's books. When a client outsources a function that touches its financial statements, payroll, billing, lending, claims, or transaction processing, that client's external auditor has to account for the controls at your organization. Rather than auditing you separately every year, the auditor relies on your SOC 1 report. It is performed under SSAE 18 (AT-C 320) and is built around control objectives defined for financial reporting, not the Trust Services Criteria. The audience is narrow and financial: your client and your client's auditors.

What SOC 2 is for

SOC 2 exists because your customers hand you their data and need evidence you protect it. It is measured against the AICPA Trust Services Criteria: security (the common criteria, always in scope), plus availability, processing integrity, confidentiality, and privacy where they are relevant to your service. The audience is security and risk: the teams that run vendor due diligence and will not sign until your report clears review. For most SaaS, cloud, and technology vendors, SOC 2 is the report that shows up in the procurement checklist, and not having it stalls deals.

Type 1 and Type 2 apply to both

The Type 1 versus Type 2 distinction is separate from the SOC 1 versus SOC 2 question and applies to both. A Type 1 is an opinion on whether your controls are suitably designed at a single point in time. A Type 2 is an opinion on whether those controls also operated effectively over a period, commonly three to twelve months. Most enterprise buyers want Type 2, because design on paper is not the same as controls that actually held up over time. If you are weighing the two, see our deeper guide on SOC 2 Type 1 vs Type 2.

Which one do you need?

Start with who is asking and why. The fastest way to tell them apart is the question behind the request.

Choose SOC 1 when

Your service affects your clients' financial statements.
The request comes from a client's financial-statement auditor.
You process payroll, payments, claims, or transactions.

Choose SOC 2 when

You hold or process customer data in the cloud.
The request comes from a prospect's security or risk team.
A SOC 2 report is blocking a deal in procurement.

If both descriptions fit, you may need both. Many service organizations maintain a SOC 1 for their clients' auditors and a SOC 2 for the buyers vetting them as a vendor.

Free download

Heading for SOC 2? Start with the readiness checklist

If SOC 2 is the report your buyers want, our free SOC 2 readiness checklist walks all five Trust Services Criteria with control prompts, a Complementary User Entity Controls tracker, and an ISO 27001:2022 cross-map for dual audits. No credit card, no sales follow-up.

Get the free SOC 2 checklist See the SOC 2 platform

FAQ

Frequently asked questions

Manage SOC 2 in one platform

Run your SOC 2 program without the spreadsheet sprawl

RiskWatch maps your controls to the Trust Services Criteria, tracks evidence and owners, and keeps you audit-ready across 40+ frameworks. Start a free trial or book a demo.

Start free trial See SOC 2 software

No credit card required · 30-day free trial · Cancel anytime