What Is a SOC 3® Report & Do You Need One? [+ Example]
A study by ISACA found that more than one in three consumers in the US, UK, Australia, and India have had their personal information stolen by cyber criminals.
The prevalence of cyber crime has significantly impacted consumer confidence in organizations’ ability to keep their data safe. As a result, 69% of consumers surveyed said they believe companies should be independently graded on data security practices and the scores shared with the public.
One way your organization can meet this expectation and build trust with consumers is by getting a SOC 3®. SOC 3 stands for Service Organizational Control 3 Report.
Below we’ll cover what this report is and how it differs from a SOC 2® report.
What is a SOC 3® report?
Like a SOC 2 report, a SOC 3 report addresses controls relevant to the Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. However, it is a more concise and high-level version of a SOC 2 Type II report intended for public consumption.
Because it does not provide confidential information or as much detail as a SOC 2 report, a SOC 3 report can be released publicly and is often used as marketing material.
Let’s take a closer look at the difference between SOC 3 and SOC 2 reports below.
SOC 3 vs SOC 2 report
Both SOC 3 and SOC 2 compliance involve a CPA audit and rigorous testing of an organization’s security controls to assess whether they meet SSAE 18 standards, as outlined by the AICPA.
If the CPA attests that the controls put in place are designed and operating correctly, then they’ll issue a SOC 2 and/or SOC 3 report. The organization can then use the report as third-party validation that it is undertaking all security best practices for service providers tasked with handling customer data.
The key difference between SOC 3 and SOC 2 reports is how exactly organizations can use them. While organizations can post their SOC 3 report on their website or distribute them in another way to customers and prospects freely, organizations cannot do the same with SOC 2 reports.
SOC 2 reports contain some confidential information about the organization’s system and controls and detailed information about the auditor’s tests, procedures, and results and therefore cannot be released publicly. Most organizations share these reports only with customers and prospects that request it and agree to sign a non-disclosure agreement (NDA).
Below is a high-level overview of the differences between SOC 3 and SOC 2 reports.
|SOC 3||SOC 2|
|Reporting type||Type II reports only||Type I and II reports available|
|Report contents||Includes the auditor’s opinion and management assertion only||Include detailed descriptions of the system and auditor’s control tests, test procedures, and/or test results in addition to the auditor’s opinion and management assertion|
|Report use||Can be freely distributed or posted on an organization’s website||Typically shared only with customers and prospects under an NDA|
When should I consider getting a SOC 3®?
If you’re a service organization that provides services directly to consumers (B2C) or to businesses and consumers (B2B2C), then you should consider getting a SOC 3 report.
Since a SOC 3 report does not contain a description of the system, it is a similar but shorter alternative to SOC 2 that is more likely to be understood by the general public.
You can therefore use this report for marketing purposes or otherwise make it freely available to customers and prospects to assure them about the effectiveness of your controls relevant to any applicable TSC and build trust — without requiring them to have sufficient knowledge about the system or sign an NDA.
Can I get a SOC 3® instead of a SOC 2®?
Rather than get a SOC 3 report only, you should consider getting a SOC 2 report and a SOC 3 report as a supplement.
While a SOC 3 report can be hugely beneficial when a prospect is trying to decide whether to engage with a service organization, it will likely not provide enough detail to satisfy customers or auditors.
Also, the scope and level of testing of SOC 2 and SOC 3 examinations are generally the same.
For these reasons, you can request the auditor issue both a SOC 2 and SOC 3 report at the end of the examination. The SOC 2 will meet the needs of existing customers, while the SOC 3 will meet the needs of a broader set of consumers who are interested in learning more about your organization.
The Ultimate Guide to SOC 2®
Learn everything you need to know about achieving SOC 2 compliance fast.
What are the contents of a SOC 3® report?
A SOC 3 report contains only two elements. These are described below.
1. Management assertion
The management assertion is a letter from the service organization’s management asserting that they believe the controls in the report were effective throughout the reporting window.
In connection with the assertion, management will also describe the boundaries of the system and the organization’s principal service commitments and system requirements. Usually included as attachments or a separate section in the report, this information enables report users to understand the scope of the SOC 3 examination and how management evaluated the effectiveness of controls based on the applicable TSC.
2. Auditor’s opinion
The auditor’s opinion is a letter from the auditor. In the letter, the auditor will briefly summarize the SOC examination, including the audit’s scope and time period, and provide their final opinion on whether the management’s assertion was fairly stated based on the applicable TSC.
SOC 3® report example
Grammarly made one of their SOC 3 reports freely available online. This report, outlined below, attested to Grammarly’s controls relevant to security, availability, confidentiality, and privacy for the period April 1, 2021 to March 31, 2022. Let’s take a closer look below.
Section I: Management assertion
In the first section, Grammarly’s management asserts its responsibilities and that its security controls were effective throughout the reporting period. This takes up one page.
Section II: Auditor’s opinion
Next is the auditor’s opinion letter, which states that Grammarly’s controls relevant to the applicable TSC (security, availability, confidentiality, and privacy) were effective throughout the testing period. It also briefly describes the audit scope, management’s responsibilities, their responsibilities as the audit firm, and the inherent limitations of controls as well as the audit.
This takes up two pages and is signed by the audit firm.
Attachment A: Description of the boundaries of the system and principal service commitments and system requirements
The first attachment is a summary of the boundaries of Grammarly’s system, including background on the company, a product overview, the organizational structure of the company, a list of supporting software and services, and more. It is the longest section, totalling 16 pages.
Attachment B: Description of the organization’s principal service commitments and system requirements
The next attachment details Grammarly’s principal service commitments and system requirements. These include product security, system availability, data security and confidentiality, and privacy commitments to user entities.
How to get a SOC 3® report
A SOC 3 report is generated by a SOC audit conducted by a CPA or an AICPA-accredited organization. Here are the steps you need to take to get one.
Step 1: Determine the SOC report you need.
For a SOC 3 report, the management’s responsibilities are substantially the same as those for a SOC 2 report. The only difference is that management does not need to prepare a system description.
However, since the procedures performed in a SOC 2 examination are substantially the same as those performed in a SOC 3 examination, you can request the auditor issue both reports at the end of the examination. This will require management to prepare a management assertion, including the disclosure of the boundaries of the system and the organization’s principal service commitments and system requirements, as well as a system description.
If you decide to pursue a SOC 2 and SOC 3 report, then you can use our SOC 2 self-assessment checklist to assess your readiness for the examination.
SOC 2® Self-Assessment Checklist
Use this step-by-step checklist to assess your SOC 2 and SOC 3 audit readiness.
Step 2: Fulfill management’s responsibilities.
To prepare for a SOC 3 examination, management must fulfill the following responsibilities:
- Define the scope of the examination
- Describe the principal service commitments made to user entities
- Describe the system requirements needed to operate the system
- Identify and analyze risks that could prevent the organization meeting its service commitments or system requirements
- Design, implement, monitor, and document effective controls for achieving the organization’s service commitments and system requirements based on the applicable TSC
Step 3: Choose your auditor.
Finally, you’ll need to choose your auditor. Evaluating them based on their accreditation, experience, process, and reputation can help you select one that meets your needs.
The auditor will spend anywhere from a few weeks to several months working with your team before producing a SOC 3 report. If the auditor believes management’s assertion was fairly stated based on the applicable TSC, congratulations! You can now post your SOC 3 report on your website or distribute it in another way.
How Secureframe can help you get a SOC 3® report
Secureframe can not only help you decide whether your business needs a SOC 3 report — we can also help you get it faster.
We save teams hundreds of hours and thousands of dollars spent writing security policies, collecting evidence, hiring security consultants, and performing readiness assessments. And because Secureframe continuously monitors your infrastructure and alerts you of vulnerabilities, you’ll be able to get and stay SOC 3 compliant easier and faster.
Request a demo to learn more about how we can help you get a SOC 3 report.
What is a SOC 3 report?
A SOC 3 report is a public report of internal controls relevant to the trust services criteria (TSC): security, availability, processing integrity, confidentiality, and/or privacy. To get one, organizations must undergo a CPA audit and rigorous testing of their controls to assess whether they meet SSAE 18 standards, as outlined by the AICPA.
What is the difference between SOC 2 and SOC 3 reports?
Both SOC 2 and SOC 3 reports address controls relevant to security, availability, processing integrity, confidentiality, and/or privacy. The key difference is that SOC 3 reports do not provide confidential information or as much detail as SOC 2 reports so they can be released publicly. SOC 2 reports are typically only shared with customers and prospects that request it and agree to sign a non-disclosure agreement (NDA).
Is SOC 3 better than SOC 2?
SOC 3 is not inherently better than SOC 2, but it is better for marketing purposes. Since it is a similar but shorter alternative to SOC 2, it is more likely to be understood by the general public. It also doesn't contain detailed descriptions of the system and auditor’s control tests, test procedures, and/or test results so it can also be distributed or posted on an organization’s website. This makes SOC 3 ideal for service organization that provides services directly to consumers (B2C) or to businesses and consumers (B2B2C).
SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.