SOC for Cybersecurity & SOC 2® for Service Organizations – An empirical study on industry’s perspective

Businesses across the globe have been going digital. A paradigm that has been accelerated due to pandemic. This has resulted into creation of a complex cyberspace. Further, organizations have become linked and dependent on each other, due to increased outsourcing as well as shift towards cloud computing. This has also led to creation of various industry standards and frameworks that help organizations evaluate their own and their provider’s practices related to system reliability, information security and cybersecurity. Amongst these, SOC2 for service organizations and SOC for Cybersecurity are two leading reports that help organizations assess system reliability and cybersecurity. AICPA recognizes it has that there is confusion amongst the applicability of these reports, and therefore it has created some guidance on how these two reports are different and how they can be leveraged by organizations. This guidance provides an inside-out perspective driven by purpose of these reports and the methodology used to create these reports. The industry (practitioners, implementors and vendor managers, CXOs) perspective on the applicability and distinction of these reports was not yet available. This research brings out industry (practitioners, implementors and vendor managers, CXOs) perspective on the applicability and distinction of these reports. Findings indicate that SOC2 demand and usefulness is perceived high whereas SOC for Cybersecurity demand and usefulness is perceived low by the industry. Findings of this research also indicate that industry excepts AICPA to simplify SOC2 reports and make them easier to understand.