SOC 3 Report
A SOC 3 report is a general-purpose report covering the internal controls at a service organization relevant to Security, Availability, Confidentiality, Processing Integrity or Privacy.
Service organizations sometimes require a SOC 3 report for a general audience and as a marketing tool to provide assurance to potential customers.
Build Trust, Confidence And Reputation
Why Get A SOC 3
A General Purpose Report
A SOC 3 report covers the same subject matter as a SOC 2 report. Accordingly, a SOC 2 Type 2 report is required in order to obtain a SOC 3 report. It’s not uncommon for service organizations to obtain a SOC 2 Type 2 report and then have the service auditors prepare a SOC 3 report summarizing the SOC 2 Type 2 report. This is the reason why a SOC 3 report is considered an abbreviated or redacted report.
Why do service organizations obtain SOC 3 reports? While SOC 2 reports are much more restricted and intended only for authorized parties, SOC 3 reports are intended to be presented to a general audience.
The SOC 3 report can be publicly distributed on a website for example, to provide current and potential customers with assurance, trust and confidence in a service organization’s security posture without the service organization disclosing an overwhelming amount of, or confidential information.
Google Cloud, AWS, and Microsoft exhibit their SOC 3 reports on their website with a seal that indicates compliance.