Resources · Guides & How-Tos

SOC 1 & SOC 2 Reporting, Explained

What SOC 1 and SOC 2 reports cover, the difference between Type I and Type II, the Trust Services Criteria, and a practical readiness checklist.

SOC reports give your customers independent assurance that the controls protecting their data and services actually work. They’re issued under standards set by the AICPA and are widely requested by enterprise buyers — especially in financial services and SaaS.

SOC 1 vs SOC 2

SOC 1

Financial reporting (ICFR)

Focuses on controls relevant to your customers’ financial reporting. If what you do can affect a client’s financial statements — payroll, payments processing, billing — a SOC 1 is usually what’s requested.

SOC 2

Trust Services Criteria

Focuses on the Trust Services Criteria — security, availability, processing integrity, confidentiality and privacy. It’s the report most technology and SaaS providers need to show they protect customer data.

Type I vs Type II

Type I

Point in time

Assesses whether your controls are suitably designed at a single point in time.

Type II

Over a period · carries more weight

Assesses whether those controls also operated effectively over a period — typically 3–12 months. Type II is what enterprise buyers usually ask for.

The five Trust Services Criteria
SecurityProtection against unauthorised access.Required
AvailabilityAvailable for operation and use as committed.
Processing IntegrityProcessing is complete, valid, accurate and timely.
ConfidentialityConfidential information is protected.
PrivacyPersonal information handled as committed.
How an independent assessment works
1

Scoping

Agree the system boundary, which Trust Services Criteria apply, and the observation period.

2

Readiness review (optional)

An honest gap check against the criteria before the formal examination begins.

3

Remediation

Close the gaps — implement or tidy up controls, policies and evidence processes.

4

Observation & examination

Operate controls across the period (Type II); we test them and collect evidence.

5

Report & opinion

You receive an independent SOC report to share with customers under NDA.

SOC 2 Type 2 readiness checklist

SOC 2 Type 2 Readiness Checklist

Work through these to gauge how ready you are for a SOC 2 Type 2 examination. Tick items off as you go — your progress is saved on this device.

0 of 26 complete
AScope & governance
BSecurity — Common Criteria (mandatory)
COptional criteria (only if in scope)
DPolicies & people
EEvidence & continuous operation (Type II)
FBefore the audit
Not legal advice — an independent assessor will confirm what applies to your scope.

Ready to start your SOC 2 journey?

Talk to an independent SOC assessor — conflict-free, across New Zealand & Australia.

Book a scoping call →