Skip navigation

New Service Organization Control Standards Turn Two

As we celebrate the second birthday of the new SOC reporting framework, I would like to look back at the past two years and point out some trends in the application of SOC to the data center industry, writes Hassan Sultan of Reckenen.

Hassan Sultan is a partner at Reckenen, which provides SOC audits to data centers and other service organizations.


Service Organization Control (SOC) examinations, which are performed by independent auditors in order to report on the internal controls of an organization, are part of a relatively new reporting framework issued by American Institute of Certified Public Accountants (AICPA). As we celebrate the second birthday of the new SOC reporting framework (the effective date was June 15, 2011), I would like to look back at the past two years and point out some trends in the application of SOC to the data center industry.

SOC Certification Represents a Competitive Advantage

We surveyed 91 data centers about the reason why they got SOC certification. Data centers cited the following reasons.

1. The customers of the data center are asking for a SOC certification.

2. Their competitors have a SOC certification so they want one as well.

3. The data centers without SOC certification are not being invited to bid on significant contract opportunities and they feel that having a SOC certification will enable them to bid on these contracts.

When we put these reasons together, a consistent message seems to emerge; SOC certification represents a competitive advantage.

Smaller Data Centers Can Benefit, Too

Increasingly, much smaller data centers are looking into getting a SOC certification. In the past, larger data centers with staff of over 50 people have been getting SOC certifications. Recently, we have seen that much smaller data centers (with staff < 20 people) have been in the market to get SOC certification. These data centers understand that a SOC reports allows them to compete more effectively and target more significant customers.

Ninety Percent of Data Centers are Either SOC 1 or SOC 2 Compliant

In our data center survey, we found that 90 percent of the colocations are SOC compliant. Also, the research showed:

1. 82 percent of the surveyed data centers choose to get SOC 1 (SSAE 16) certification only.

2. 6 percent of the surveyed data centers choose to get SOC1 (SSAE 16) and SOC 2 certification.

3. 3 percent of the surveyed data centers got SOC 3 certification.

SOC 2 is Becoming Increasingly Popular

Based on our survey, we are noticing a shift from SOC 1 certification only towards SOC 1 and SOC 2 certification in the data center industry. In 2013, the number of data centers which got both SOC 1 and SOC 2 certification has increased by 100 percent year-over-year.

After the issuance of SOC reporting framework in 2011, most data centers which had a SAS 70 certification initially obtained SOC 1 (SSAE 16) certification. SSAE 16 is based on financial audits and isn’t very specific to the data center audit. AICPA came up with SOC 2 for service organization like colocation providers and web hosts to provide a standard benchmark by which we could potentially compare two data centers.

Recently, an increasing number of data centers are leaning towards getting SOC 2 certification in addition to SOC 1 as it covers controls over security, availability, processing integrity, confidentiality and privacy which are more relevant to data center industry. The SOC 3 is the overview of the SOC 2 for the selected controls, comes with a public seal and is able to be shared with potential clients. In future, SOC 1 coupled with SOC 2 audits are becoming the standard for data centers and cloud based service providers.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.