A SOC 3 report covers the same subject matter as a SOC 2 report. Accordingly, a SOC 2 Type 2 report is required in order to obtain a SOC 3 report. It’s not uncommon for service organizations to obtain a SOC 2 Type 2 report and then have the service auditors prepare a SOC 3 report summarizing the SOC 2 Type 2 report. This is the reason why a SOC 3 report is considered an abbreviated or redacted report.
Why do service organizations obtain SOC 3 reports? While SOC 2 reports are much more restricted and intended only for authorized parties, SOC 3 reports are intended to be presented to a general audience.
The SOC 3 report can be publicly distributed on a website for example, to provide current and potential customers with assurance, trust and confidence in a service organization’s security posture without the service organization disclosing an overwhelming amount of, or confidential information.