SOC 3 is often overlooked; caused by common misconceptions. What is it and why would you issue SOC 3?
SOC 3 is often dismissed before really considering it's purpose. Some see it as level above SOC 2, and SOC 2 is hard enough! Others more knowledgable about it downplay its importance because actually, SOC 2 is more comprehensive and useful than the SOC 3.
What is a SOC 3 'Report'?
Firstly, the number '3' is indicative of the order in which the SOC reporting type was released. See our SOC Types post for further information on the difference between SOC 1, SOC 2 and SOC 3. The number is no indication of the level of work or rigour of InfoSec practices involved. The SOC 1 and SOC 2 standards include a report that describes the system and services provided to customers. That often contains sensitive information about your business operations, and isn't made publicly available.
For large businesses like AWS and Microsoft, it obviously gets onerous requiring NDA's from each user that wants to view the report; that prompted the introduction of SOC 3. All it is, is a way of publishing the SOC 2 Type 2 auditors opinion to general users without all the additional detail included in the SOC 2 report. That gives them confirmation of the "unqualified opinion" (achieved compliance) without needing to obtain the full report (at all, or at least initially).
Why issue a SOC 3?
There are two benefits to issuing a SOC 3 report.
The SOC 3 excludes all the sensitive content you have in a SOC 2, which makes it easy to share with your customers. You can provide it to customers without an NDA and make it available to broader customers without the friction of needing to manually handle each request. In a lot of cases the SOC 3 is published on the website so customers can verify the opinion first hand, for their own compliance purposes or just verification of the claim of compliance with the SOC 2 Trust Services Criteria. This is particularly useful for enterprise sales, that can verify your SOC 2 compliant status as a screening consideration, and look to obtain the full SOC 2 report later in the procurement process.
Adding another logo
Security and compliance logos are often treated like customer logos; the more you have and higher quality they are perceived to be, the better it reflects on your business. The SOC logos are highly sought after for that reason; providing a qualifier of your security and control practices. Although SOC 3 is not providing any additional audit or assurance than the SOC 2, it does provide an additional AICPA logo. You often hear talk in the industry about how AWS and others have “the best security with all the qualifications; SOC 1, SOC 2, AND SOC 3”. It doesn’t mean their security is any better than a business with “just” a SOC 2 but it demonstrates the assurance in more ways to meet more varying customers preferences and requirements to verify it. That is perceived as additional achievements and ultimately better security practices. And since perceptions are especially important when it comes to Sales, it can earn its place.
There's not much more to say about SOC 3. It's a small addition with a relatively small cost. It might make a significant difference in perceptions and the way you share the report with your customers, so it's worth considering.