SOC (Audits) vs SOC (Security Operations Center)

Overview

Joe Ciancimino, Director of Attest Services at IS Partners, joined James Treuting and Clayton Paplaczyk from cybersecurity firm Lumifi in a webinar to shed light on a common point of confusion in the cybersecurity world: the difference between SOC (System and Organization Controls) and SOC (Security Operations Center).

A Snapshot of SOC Audits

Ciancimino kicked things off by defining what SOC audits are, the different types — SOC 1 and SOC 2 — and their distinct objectives.

SOC 1 audits focus on controls relevant to a companies financial reporting, while SOC 2 audits evaluate controls related to security, availability, processing integrity, confidentiality and privacy using a dedicated AICPA framework.

While both SOC 1 and SOC 2 audits assess security controls, they differ in scope and purpose. SOC (System and Organization Controls) audits are performed by CPA firms like I.S. Partners to evaluate the internal controls of service organizations.

“SOC 1 engagements typically cover 50% business controls and 50% IT general controls,” explained Ciancimino. “SOC 2 engagements, on the other hand, are performed on a pre-dedicated framework from the AICPA to cover controls related to security, availability, processing integrity, confidentiality, and privacy.”

The type of SOC audit pursued depends on the service provided and customer requirements. Ciancimino gave the example of a claims processing company needing a SOC 1 audit to assure a health insurer that claims will be input, adjudicated and reconciled correctly. The same company may need a SOC 2 audit to demonstrate they will protect the personal data shared by the insurer.

SOC audits are not just about compliance; they are about assurance, about providing confidence to your clients that their data is handled securely
Joe Ciancimino

SOC audits can be further classified as Type 1 or Type 2 based on the level of assurance provided. Type 1 audits assess the suitability of control design at a point in time, while Type 2 audits test the operating effectiveness of controls over a period of time, usually 6-12 months. Type 2 audits are more rigorous and often the end goal for service organizations.

“In a Type 1 assessment, we would request just one recent example of a background check completed for a new hire,” noted Ciancimino. “In a Type 2 assessment, we would randomly sample new hires over the audit period and select the employees we need to see background checks for.”

The Duality of SOC: Audit and Operations

James Treuting, regional director at Lumify, and Clayton Paplaczyk, VP of infrastructure, then took over to explain how Lumifi’s SOC (Security Operations Center) complements SOC (System and Organization Controls) audits by ensuring continuous protection of their clients’ digital assets through real-time threat monitoring and response. Many clients, especially those with small IT teams, seek out Lumifi’s help after going through a SOC audit and realizing they lack the internal expertise and resources to maintain a strong security posture.

Our goal is helping organizations with smaller, security-centric IT teams by giving them the knowledge and information to immediately investigate and remediate threats. We provide that information at both a high level and a very deep level.
James Treuting

Through their Security Operations Center (SOC) and Managed Network Detection and Response (MNDR) services, Lumifi provides the expertise and security operations center tools to monitor client environments, including endpoint detection and response (EDR), security information and event management (SIEM), and network detection and response (NDR).

EDR serves as a next-gen antivirus, identifying anomalous activity on endpoints.
SIEM provides correlation by ingesting logs from multiple sources.
NDR enables packet-level visibility into east-west traffic.

By combining these telemetry sources in its 24/7 SOC (Security Operations Center), Lumifi is able to swiftly detect, investigate and contain threats for its clients. The company also holds a SOC 2 Type 2 certification of its own, validating the security of its services.

“Majority of the time, when we’re speaking to organizations just starting their cybersecurity maturity roadmap, [EDR] is where we’ll be starting,” said Treuting. “It really gives you the best bang for your buck, gives us great visibility, and also gives us that action-taken capability.”

Technology and Assurance – A Complementary Relationship

Both Ciancimino and the Lumify team highlighted the symbiotic relationship between SOC audits and the operational technology managed within SOCs (Security Operations Centers). This relationship emphasizes the dual layers of security—operational and evaluative—that organizations must navigate to ensure their data is protected

For instance, while SOC audits provide a framework and periodic assurance through detailed reports, managed security operations centers offer ongoing monitoring and immediate threat response capabilities, which are vital for day-to-day security management.

Ciancimino clarified that while having a SOC (Security Operations Center) service in place can help with the audit process, it does not replace the need for a separate SOC audit conducted by a certified public accounting firm.

“Chances are, even though Lumifi may be working through your alerting, you may be providing the EDR services. Lumifi’s SOC 2 doesn’t include some of the processes and procedures in place at your company,” Ciancimino explained. “And that’s ultimately what the SOC 2 report is for. It’s for you.”

With the increasing reliance on outsourced service providers, SOC audits have become a business necessity in many industries. Understanding the differences between SOC 1 vs SOC 2 and Type 1 vs Type 2 reports is critical for both service organizations and user entities. As Lumifi’s services demonstrate, partnering with cybersecurity experts can provide the knowledge and capabilities needed to achieve SOC compliance.

As Lumifi’s services demonstrate, partnering with cybersecurity experts can provide the knowledge and capabilities needed to achieve SOC compliance.
Joe Ciancimino

Forward-Thinking Security Practices

Looking to the future, the integration of SOC audits and SOCs (Security Operations Centers) is likely to deepen, driven by the increasing sophistication of cyber threats and evolving regulatory requirements across global markets.

Companies that use SOC audits for compliance and security operations center services for security are better equipped to protect their data and sustain their business operations.

Q & A Session

The webinar concluded with a Q&A session, addressing topics such as the cost of SOC audits, the inclusion of penetration testing in SOC services, and protection against social engineering attacks. The questions below were asked by guests during the webinar.

What is the benefit of a SOC 2 audit?

The main benefit is the assurance provided to customers. It demonstrates, either as a result of a contractual need or for marketing purposes, that customer data will be safe.

How often do you need to do a SOC audit?

The frequency of SOC audits varies, with most SOC 1 and SOC 2 reports covering a 12-month period. In some cases, however, a company may elect to get a SOC 1 or SOC 2 report more frequently, such as every six months.

The frequency at which a company renews their SOC 2 report can be based on client requirements, significant changes to controls or to show potential customers and stakeholders that they are committed to operational efficiency and data security.

What is the approximate cost for a SOC 2 audit?

The cost of a SOC 2 audit varies based on company size and complexity. It could range from $7,500 to $50,000.

Related article: How Much Does a SOC 2 Audit Cost?

Do you get a certificate to show customers that you are SOC 2 certified or compliant?

Yes, once the audit is complete, you receive a report that you can provide to customers. I.S. Partners will also provide you with a shield that can be placed on your website and in marketing collateral to show potential customers that you are SOC 2 compliant.

Can any company perform a SOC 2 audit?

No, only certified public accounting (CPA) firms can perform SOC 2 audits. I.S. Partners is a registered CPA with the AICPA.

Related article: Who Can Perform SOC Audits?

Is SOC 2 Type 2 mandatory?

No, it’s not mandatory, but if your business involves exchanging data, customers will likely ask for it as it’s considered a best practice.

What are the benefits of using managed SOC (Security Operations Center) services?

A company can benefit from having a Security Operations Center (SOC) service in several key ways:

1. Expertise and knowledge: Many organizations lack the internal expertise and knowledge to effectively monitor and respond to security threats. A SOC service like Lumifi provides that expertise to help clients swiftly investigate and remediate issues.

2. 24/7 threat monitoring: A Security Operations Center (SOC) provides continuous, real-time monitoring of an organization’s environment to detect anomalous activity and potential threats. This vigilance is difficult for many companies to maintain internally.

3. Comprehensive visibility: By deploying endpoint detection and response (EDR), security incident and event management (SIEM), and network detection and response (NDR) tools, a Security Operations Center (SOC) gains comprehensive insight into a client’s environment to correlate data and get the full picture of what’s happening. This “visibility triad” enables better threat detection and response.

4. Remediation guidance: Beyond just identifying threats, a Security Operations Center (SOC) helps guide remediation by providing clients with both high-level and deep technical information about the issues found. They also offer recommendations on containing and resolving threats.

5. Compensating for lack of manpower: Many organizations, especially those with smaller security teams, struggle to have enough manpower to manage security operations effectively internally. Outsourcing to a Security Operations Center (SOC) service helps fill that gap.

In summary, a Security Operations Center (SOC) acts as an extension of a company’s security team, bringing the tools, expertise, and 24/7 vigilance needed to detect and respond to the evolving threat landscape – capabilities that are often lacking internally. This enables a stronger security posture.

Does it make sense to use a BAS (Breach and Attack Simulation) tool for a managed Security Operations Center (SOC) and a SOC 2 audit?

A BAS tool is typically used at the end of a cybersecurity resilience plan. It’s a great tool to have, but it’s not required for SOC 2 compliance or Security Operations Center (SOC)

What is the “Visibility Triad”

The visibility triad is a strategic framework that enhances the capabilities of a Security Operations Center (SOC) to detect, investigate, and respond to cyber threats.

It consists of three core technologies that provide security teams with in-depth visibility into their security posture and events:

1. Endpoint Detection and Response (EDR): Provides real-time insight into endpoint threats and helps block malicious activity on an organization’s laptops, desktops, and mobile devices.

2. Network Detection and Response (NDR): Analyzes network traffic to prevent lateral movement by attackers who have gained entry to the network. It leverages behavioral data for security insights and helps catch malicious insiders.

3. Security Information and Event Management (SIEM): Collects and analyzes log data from across the entire organization’s IT infrastructure. It correlates this data to find and analyze threats using customized detection rules.

The Security Operations Center (SOC) visibility triad empowers organizations to gain clearer visibility into threats and respond more effectively.

It was first introduced in a Gartner research report titled “Apply Network-Centric Approaches for Threat Detection and Response“.

Incorporating the visibility triad into the SOC’s operations, such as through Lumifi’s ShieldVision™ alerts, provides security teams with complete visibility and actionable intelligence on security issues in near real-time. This holistic approach helps strengthen an organization’s cyber defenses.

If a customer requires our business to be SOC 2 compliant, would the SOC 2 report of our SOC (Security Operations Center) provider be sufficient?

It depends on what your customer is comfortable with. For example, Lumifi’s SOC 2 report only covers its internal controls—it doesn’t include the controls of its clients.

If your customer requires your company’s processes to be SOC 2 compliant, then your business would need to get an SOC 2 audit.

Related Article: The Ultimate Guide to SOC 2 Compliance

Is penetration testing included with SOC (security operations center) services?

No, Lumify does not provide direct penetration testing but can work with partners like I.S. Partners (I.S. Partners provides penetration testing services through our cybersecurity brand, AWA International).

Does SOC (Security Operations Center) include any protection from social engineering?

Penetration testing could include social engineering in its scope, but it can be expensive and time-consuming. There’s no silver bullet to completely stop social engineering, but tools like user entity behavioral analysis (UEBA) can help detect unusual user activity that may indicate a breach.

Acknowledgments

Special thanks to James Treuting and Clayton Paplaczyk at Lumifi and our Director of Attest Services, Joe Ciancimino, for shedding light on these (often confusing) acronyms and taking the time to ensure that businesses are well-informed and prepared to tackle the cybersecurity and compliance challenges ahead.

James Treuting

Regional Director

Clayton Paplaczyk

Director of Solution Architecture & IT

Clayton is the Director of Solutions Architecture and IT at Lumifi, focused on managing security and sales engineering efforts. With a Bachelor’s Degree in Software Engineering and a Master’s Degree in Cybersecurity, Clayton has over twelve years of collective Engineering, Software Development and IT Infrastructure experience. In addition, he holds multiple certifications in Risk Assessment and System Administration.

Joe Ciancimino

Director, SOC Practice

Joe is a Director in the I.S. Partners SOC practice. He is a Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Controls (CRISC) practitioner and a member of the ISACA Philadelphia Chapter. Joe has been performing IT audit and attestation services for the last 6 years and continues to assist clients in performing a variety of engagements. These include System & Organization Controls (SOC) Reports (SOC 1/SOC 2), Information Technology and Information Systems Audits, IT General Controls / IT Application Controls Testing, ISO/IEC 27001:2013 Internal Audit/Compliance, Internal Audits on a outsourced/co-sourced basis

About Lumify & I.S. Partners

Lumifi, a leader in Managed Detection and Response (MDR) services, was founded by cybersecurity experts committed to innovation.

Their vision integrates AI assistance into MDR solutions, enhancing the capabilities of security teams. This strategic partnership between human expertise and AI ensures faster threat detection and more efficient incident response.

Lumifi’s user-friendly and adaptable services empower organizations to proactively defend against emerging threats. With a focus on continuous improvement, Lumifi’s product roadmap outlines their dedication to evolving MDR services.

By embracing innovation, Lumifi positions itself as a partner in navigating the dynamic cybersecurity landscape. Their AI-enhanced MDR services offer cost-effective solutions tailored to the unique needs of each organization.

With Lumifi, organizations can allocate resources efficiently, strengthening their cybersecurity posture and staying ahead of emerging threats.

I.S. Partners provides end-to-end compliance and risk advisory solutions including SOC, PCI DSS, HITRUST and more using a streamlined audit solution model.
By integrating with automated software, I.S Partners is able to deliver a quicker, more efficient process while…

Get a Quote Try our Compliance Checker

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the AICPA (American Institute of Certified Public Accountants). The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.

About The Author

David Dunkelberger

During his 25-year career, David has successfully delivered assurance, business advisory and investigative services to the financial institutions industry, primarily commercial banks and insurance companies. Additionally, he possesses solid competencies in risk-based auditing and internal control evaluation, and has generated significant cost savings for clients engaged in Sarbanes-Oxley compliance. He has held senior positions in both public accounting and private industry.

Prior to joining IS Partners, LLC, David managed forensic investigations at a nationally-recognized accounting firm and provided fraud detection, forensic investigation and litigation support services for the FDIC.

David graduated from Temple University in Philadelphia, PA.

SOC vs SOC: Clearing the Confusion for Better Cybersecurity & Compliance

Overview

A Snapshot of SOC Audits

The Duality of SOC: Audit and Operations

Technology and Assurance – A Complementary Relationship

Forward-Thinking Security Practices

Q & A Session

Acknowledgments

About Lumify & I.S. Partners

About The Author

David Dunkelberger

Comment on this article Cancel Reply

Gain Deeper Insights

Safeguarding Against SOC 2 Automation Risks: Expert Advice

SOC 2 Bridge Letter Explained + Gap Letter Example

Everything About the SOC 2 Trust Services Criteria

Get a quote today!

Get a Customized Quote

Headquarters

Contact

Legal

Social