Last Updated on April 2, 2020
If your business provides services to other businesses, chances are good you’re considering a third-party information security attestation. In today’s global marketplace, self-reported security claims increasingly do not suffice—clients, prospects, business partners and boards want stronger proof.
As discussed in our recent episode of The Virtual CISO Podcast episode featuring Dan Schroeder, Partner-in-Charge for Information Assurance Services at Aprio LLP said, the “gold standard” for independent security attestation is ISO 27001 certification or a strong SOC 2 report. The podcast explores the choice between these two frameworks from all angles.
But that podcast also touched on a “third option”: SOC 3. Especially for organizations that have or are working towards a SOC 2 report, SOC 3 provides a lot of value add for very little incremental cost.
What is SOC 3?
Like SOC 2, a SOC 3 report is based on the five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality and/or Privacy, depending on the scope of your report. The work that an auditor would perform during SOC 2 and SOC 3 examinations is very similar—as is the effort required to bring a business into compliance. The major difference between SOC 2 and SOC 3 is the level of detail in the report.
A SOC 2 report is extremely detailed and shares considerable confidential information about an organization. It includes the auditor’s opinion, management assertions, a full system description and detailed control descriptions, as well as results from testing the controls. Therefore, only entities under nondisclosure would typically receive a SOC 2 report. Further, a SOC 2 report can run to hundreds of pages in length and takes some skill and experience (not to mention time) to read and understand.
“The value of a SOC 3 report for proving that your business is secure and compliant is considerable. In particular, it entitles you to put an AICPA/SOC seal on your website.”
A SOC 3 report, in contrast, is a much shorter summary of the audit findings and supporting content. Your SOC 3 can be shared with anyone, and even made available on your website. Besides being considerably shorter and much more readable, the SOC 3 offers minimal detail on specific controls. It mainly summarizes the auditor’s opinion and management assertions, along with a short background narrative on the company.
Since the effort required to get an organization ready for a SOC 3 audit is comparable to SOC 2 audit readiness, and the same information is under consideration, companies that choose to obtain a SOC 2 Type II/”period of time” report often ask the auditor(s) to write a SOC 3 report as an adjunct for general marketing and PR purposes. (There is no SOC 3 Type I/”point-in-time” option.)
The value of a SOC 3 report for proving that your business is secure and compliant is considerable. In particular, it entitles you to put an AICPA/SOC seal on your website. (As an example, here is Google Cloud’s SOC 3 page online.) The seal is widely recognized as a “seal of approval” from a respected third-party, and can instill instant confidence and peace of mind.
Who should consider a SOC 3 report?
If you already have or are working towards a SOC 2 Type II report, a SOC 3 report can add a powerful extra dimension to your organization’s marketing around security and privacy. It reinforces for the public both your positive SOC 2 results and your commitment to service, security and privacy. A SOC 3 report is also a great tool for your sales and marketing teams to use to drive new business.
Wondering about the best approach to a third-party security attestation for your business? Contact Pivot Point Security to connect with an expert and get your questions answered.
For more information:
- Don’t Mistake a SOC 2 Attestation for Proof of Security
- SOC 2 and ISO 27001 Dual Implementation: Does It Make Sense for Your Business?