SOX vs SOC2

Table of Contents

Listing key ideas and links from this video in blog format below for easy reference.

What?

SOX

SOC2

Law for Financial Reporting

Assurance report for third party audits of cybersecurity and privacy

Why?

SOX

SOC2

Finance is about trust

Prevent, detect, deter corporate and accounting scandals

Cybersecurity is also about trust

Prevent, detect and deter Internet risks

SOX: For Trust in Financial Systems, to Have Liquidity in Capital Markets

SOC2: Customer Assurance, Transparency, Improvement

  1. Customers need trust and assurance

    • Contractual commitments

    • Security questionnaires, RFPs and vendor risk management inquiries

    • More efficient for all parties than client specific audits

    • Demonstrate leadership

  2. Providing transparency

    • Externally and internally for management, operators, customers, business partners

  3. Continuously improving

    • Foundation for security and risk management program

    • Improve maturity of controls for people, processes and technology

    • Reduce risk

Who does it?

SOX

SOC2

Publicly listed companies

Cloud Service Providers

Data Centers

Managed Security Service Providers (MSSPs)

Security Operations Centres (SOC)

Payroll processors,

Benefits administration providers

Who is it for?

SOX

SOC2

Investors

Customers

Since When?

SOX

SOC2

2002

2010 (or the equivalent under a different name going back way earlier)

Evolution of Accounting Compliance to IT Audit in Finance to Cybersecurity

SOX

SOC2

$Millions

$Tens or hundreds of thousands

How Much?

Too Expensive?

SOX

SOC2

No, if done well

One measure of ROI is that it enabled liquidity (trust) in capital markets

No, if done well

Regulator?

SOX

SOC2

Yes

No, but CPAs are self-regulated

Mindset?

SOX

SOC2

Business (COSO)

Military (DoD)

Science?

SOX

SOC2

Chemistry

Chemistry with Alchemy