Should You Get a SOC 2 or a SOC 3 Examination?
If you’ve ever been out on the town, you might already know the different kinds of experiences you can have at a dance club.
These places have promoters that hand out flyers and such to bring in your eager bodies and your wallets, but when you get there, oftentimes you’ll see that they have separate areas for their VIPs. Prioritized for whatever reason the club has, these Very Important People often get personalized waitstaff, bottle service, and much more space to practice their moonwalk.
These places want everyone to have a good time regardless whether they’re new or important regulars–it’s just a matter of who gets what and why they get it.
It may seem a stretch to believe, but when comparing a SOC 2 report and a SOC 3, this parallel is almost exact.
Don’t worry–we’ll explain. We’ve provided all types of SOC services since the emergence of the brand back in 2011, and over the years we’ve often gotten questions about what the difference is between these two in particular. Whether you work with us or not on these services, you deserve to know which is best for you and why.
“Which one is better? Which one do I need?” Can I just get a SOC 3?”
That all probably sounds familiar, and to answer all those questions, we’re going to lay out the distinctions between SOC 2 and SOC 3 so that you will be in a better position to choose the option that suits you.
Like the dance club experience, what sets SOC 2 and SOC 3 apart from one another is the amount you get and who exactly gets it. Read on and learn why these differences are important–the new understanding you’ll glean will help you align your decision between the two with your compliance goals.
The Similarities of SOC 2 and SOC 3
Before we really get into where they diverge, we should establish what makes these two examinations fraternal twins first. You may already know that SOC 1 is set entirely apart as it evaluates a separate sort of data for an entirely different purpose, but SOC 2 and SOC 3 examinations are much closer in their actual nature.
- They’re both conducted in accordance with the SSAE 18 standard, down to the specific sections.
- Both report on your controls relevant to the Trust Services Categories of security, availability, confidentiality, processing integrity, and/or privacy.
- The work that will be done by your service auditor to complete either is very similar in nature.
- Both a SOC 2 report and a SOC 3 report can serve a beneficial purpose.
We outlined what a SOC 2 examination is in our article comparing it to SOC 1 here, in case you’d like more detail. It’s one of the most popular reporting types out there, and from what we noted above, SOC 3 may not seem so different. After all, you will be evaluated based on the same criteria no matter which you choose.
But in fact, the distinctions between these two do exist, and they will affect your choice critically.
Let’s get into why that is.
The Differences Between SOC 2 and SOC 3
All SOC examinations go through four phases that take varying amounts of time, and the key distinctions between SOC 2 and SOC 3 both stem from the last one–the reporting phase.
There’re levels to this difference too:
- SOC 2 and SOC 3 reports each contain different amounts of information.
- SOC 2 and SOC 3 reports have separate allowances when it comes to who can read each report.
It’s like we said regarding the dance club–the difference in your experience will be in the information you get (in the report) and who gets it (who you need to read it). Let’s break this down further.
The Reporting Difference Between SOC 2 and SOC 3
- If you proceed with a SOC 2 examination, the deliverable you’ll get from your auditor will contain several sections including:
- Opinion Letter: Signed letter from your auditor confirming what they examined, when, and that—in their opinion—there is reasonable assurance these systems satisfy the stated requirements.
- Assertion Letter: A letter from your organization declaring the completeness and fairness of your description of your system and the effectiveness of your controls as of a point in time or over a period of time (depending on what Type of report you opted for).
- Description of System: A detailed description of how your system is designed and how it's supposed to operate. This includes the controls governing your people, procedures, infrastructure, software and data (your controls).
- Description of System Boundaries: The scope, i.e., the extent of what is being examined as separate from everything else at your organization.
- Applicable Trust Services Criteria and Related Control Activities: Specifics on the items in place to support your controls. (For Type 2 reports, tests of those activities & the results are included too.)
- If you opt for a SOC 3 examination, your report will similarly include the aforementioned auditor’s opinion and management assertion, but it will have only an abbreviated version of the description of the system and will not include the tests the auditor performed or the results of those tests.
The Accessibility Difference Between SOC 2 and SOC 3
Now that you understand the difference in deliverables, what’s the deal with who can use each of these?
- SOC 2 reports are restricted use reports whose intended audience is specified within the report. This audience must have certain knowledge and understanding about your services and internal control limitations, among other matters defined in the report. This audience typically includes your leadership team, your customers, and your customers’ auditors, but can also include certain knowledgeable prospective customers.
- In contrast, SOC 3 reports are general use reports that can be distributed freely by you to any interested party. They’re considered formidable marketing tools that can attract new customers—even without the level of detail of a SOC 2, prospects respect this kind of approval from a credible independent auditor.
Should You Get a SOC 2 Examination or a SOC 3 Examination?
At this point, you may recognize the obvious advantages to each: a SOC 2 report contains more information but you can “hand” your SOC 3 report to anyone. So which should you choose?
We’re going to make a case for both–after all, they do each have their merits.
Why You Should Get a SOC 2 Examination
We’ve written about how your organization can benefit from investing in a SOC 2 in this article: 3 Benefits to Getting a SOC 2 Report.
We’ll reiterate here the benefits of investing in this more thorough examination.
SOC 2 is one of the most popular and widely accepted audit and compliance reports and it won’t matter that it’s restricted use to only those specified parties–if you’re looking to provide assurance to your current or specific prospective customers that your security controls are trustworthy, a completed SOC 2 examination is a weighty tool to have in your compliance belt.
Not only are many customers asking for this audit specifically, but completing a SOC 2 also opens doors to other frameworks that you may need to add to your security portfolio in future.
Why You Should Get a SOC 3 Examination
On the other hand, you may be wondering the following: yes, you can give a SOC 3 report to anyone on the street, but how can that matter when it will contain “so much less” information than a SOC 2?
Because while SOC 2 reports are restricted to certain organizations and entities, SOC 3 reports are not and therefore, you can more easily market them to your prospective customers.
SOC 3 reports do contain significantly less detail in the report itself, so one alone won’t satisfy the needs and requests of your client base wanting assurance that you’re protecting their interests. But because they do still contain useful information– like a broad overview of your organizations and the services, plus your apparent compliance posture–that can draw in new business.
Choosing Between SOC 2 and SOC 3
Investing in compliance is a big decision, and so understanding the differences between these two attractive options is important. We’ve seen organizations weigh each one on many an occasion, and we wanted to tell you what we tell them so you can be sure your choice will be the right one for you.
With that being said, we should tell you that, in our experience, most of our clients opt for one of these 2 options:
- Just a SOC 2
- Both a SOC 2 and SOC 3
Rarely do we see organizations choose only the SOC 3–that’s because if you have agreements in place that require you to provide detailed reporting on your controls and the auditors testing (in the case of a Type 2), of these two options only the SOC 2 can properly do that. That being said, because a SOC 3 requires the same planning, preparation, and testing as the SOC 2, many organizations will decide to add it on as well as a way to satisfy both their client base and appeal to new customers.
The choice is entirely up to you, but as you progress towards a final decision, you may find that you have more questions. We’d love to speak with you to settle any concerns you may have. Contact us to set up an introductory call, and we will help get you on the path to a completed SOC examination–whichever one(s) may suit you best.
About JORDAN HICKS
Jordan Hicks is the Manager of Content at Schellman. As the owner of content marketing initiatives across all digital platforms and formats, she is responsible for the ideation of content, the authoring and development of the content, as well as developing and managing the editorial calendar to ensure the marketing goals are met as it relates to content.