Skip to main contentChat with us

Learn · SOC Reports

SOC 1 Description
Criteria

A question that trips up even experienced teams: which description criteria does a SOC 1 use? The answer — SOC 1 has no separately published criteria document. DC section 200 is SOC 2-only; SOC 1's description requirements live inside AT-C section 320 itself.

The one-line rule: DC 200 → SOC 2. AT-C 320 (¶.16–.17) + the AICPA SOC 1 Guide → SOC 1. If a SOC 1 assertion cites DC 200, something is off.

0separate DC documents for SOC 1
DC1–DC9the SOC 2-only criteria
500+audits delivered by TCSA

Plain-English explainer · Cites AT-C 320 & DC section 200 · Last reviewed July 2026

SOC 1 does not have a separately published description-criteria document. The AICPA’s DC section 200 applies to SOC 2 reports only. Every SOC report contains a “description of the service organization’s system” that management asserts is fairly presented — and that assertion has to point at criteria. For SOC 2, the AICPA published those criteria as a standalone document: DC section 200, the “2018 Description Criteria” (with revised implementation guidance issued in 2022), containing nine numbered criteria. For SOC 1, no equivalent document exists — and none is needed, because AT-C section 320 builds the description requirements directly into the standard (paragraphs .16–.17), with the AICPA’s SOC 1 Guide expanding on how to apply them. Same concept, different plumbing — and a reliable way to tell whether whoever drafted your report documents knows the difference.

Side by Side

SOC 1 vs SOC 2 Description Regimes

SOC 1SOC 2
Where the criteria liveInside the attestation standard itself — AT-C section 320 (paragraphs .16–.17) — supplemented by the AICPA SOC 1 Guide.A separately published document: DC section 200, “2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report” (with revised implementation guidance, 2022).
What the controls are measured againstControl objectives specified by management, relevant to user entities’ financial reporting (ICFR).The AICPA’s prescribed Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy).
How the assertion refers to criteriaManagement asserts the description is fairly presented based on the description criteria set out in AT-C 320 / the SOC 1 Guide (often restated in the assertion itself).Management asserts the description is presented in accordance with DC section 200, cited by name.
Number of criteriaNo numbered list — a set of required description elements (services, procedures, records, subservice organizations, control objectives, CUECs, and so on).Nine numbered description criteria (DC1–DC9), each with implementation guidance.

Practical Consequences

Why the Distinction Matters

  • Drafting a SOC 1 description: work from the AT-C 320 element list (services, procedures, records, non-transaction events, reporting, subservice organizations, control objectives, CUECs, control environment) — not from DC1–DC9.
  • Writing the management assertion: cite the AT-C 320-based criteria for SOC 1; cite DC section 200 for SOC 2. Mixing them up is a real finding we encounter in readiness reviews of template-drafted reports.
  • Reading a report: the criteria named in the assertion tell you instantly which report type you are holding — useful when a vendor mislabels a SOC 2 as a “SOC 1” or vice versa.
  • Dual-report programs (SOC 1 + SOC 2): expect to maintain two descriptions with different skeletons, even though large parts of the underlying system content overlap.

Description Criteria — Common Questions

Where each report type’s description requirements actually come from.

Does DC section 200 apply to SOC 1 reports?

No. DC section 200 — the AICPA’s “2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report” (with revised implementation guidance issued in 2022) — applies to SOC 2 engagements only. SOC 1 descriptions are prepared against the requirements embedded in AT-C section 320 and the guidance in the AICPA SOC 1 Guide.

So where are the SOC 1 description criteria located?

Inside the attestation standard itself. AT-C section 320 (paragraphs .16–.17) lists what management’s description of the system must cover — services and transaction classes, procedures, records, significant non-transaction events, report preparation, subservice organizations and the carve-out/inclusive choice, control objectives and controls, CUECs, and relevant control-environment components. The AICPA SOC 1 Guide expands on applying these, and management’s assertion typically restates them as the criteria used.

Why does SOC 2 get a separate criteria document but SOC 1 doesn’t?

Because of what the controls are measured against. SOC 2 evaluates controls against prescribed, framework-style Trust Services Criteria, so the AICPA published matching standalone description criteria (DC1–DC9). SOC 1’s subject matter is inherently entity-specific — management defines its own control objectives around its customers’ financial reporting — so the description requirements could be written once, generically, into AT-C 320.

What are the nine SOC 2 description criteria (DC1–DC9) at a high level?

At a high level, DC section 200 requires the SOC 2 description to cover: the types of services provided; the principal service commitments and system requirements; the components of the system (infrastructure, software, people, procedures, and data); significant system incidents that resulted from control failures; the applicable trust services criteria and related controls; complementary user entity controls; subservice organizations under the carve-out or inclusive method; any applicable trust services criteria deemed not relevant to the system; and, for Type 2 reports, significant changes to the system during the period. The exact text and implementation guidance are in the AICPA’s DC 200 publication.

What should the management assertion cite in each report?

In a SOC 2, management asserts the description is presented in accordance with DC section 200 and that controls meet the applicable Trust Services Criteria. In a SOC 1, management asserts the description is fairly presented based on the description criteria drawn from AT-C 320 (usually restated in the assertion) and that controls achieve the stated control objectives. The service auditor’s opinion mirrors the same criteria.

Related reading: the Learn hub, AT-C section 320 explained, CUECs & CSOCs, SOC 1 vs SOC 2, and our SOC 1 services guide. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations