SOC Report Families, Report Structure, and Shared Control Responsibilities

This chapter introduces the SOC reporting landscape and the basic distinctions among engagement types. ISC uses this material to test whether you can match user needs to the correct report and understand the structure of that report.

In This Chapter

• Purpose and Types of SOC Reports (SOC 1®, SOC 2®, SOC 3®, SOC for Cybersecurity) explains the main report families and their intended uses.
• Form and Content of SOC Reports covers the basic sections and components of SOC reporting.
• Comparing User Entity Controls and Subservice Organization Controls explains how responsibilities are divided across organizations.

How to Use This Chapter

• Read this chapter before the specific SOC-report chapters so the framework is clear.
• Focus on intended users, subject matter, and scope differences among report types.
• Return here whenever an ISC question asks which SOC engagement is appropriate.

In this section

• SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity: Purpose, Users, and Use Cases
  SOC report families, intended users, and practical use cases.
• Required Sections, Structure, and Core Content of SOC Reports
  Required sections, structure, and core content of SOC reports.
• User Entity Controls, Subservice Controls, and Shared Responsibility Boundaries
  User entity controls, subservice controls, and shared responsibility boundaries.