As a society, we are heading into a digital age where more and more services are being made available online. While this helps in making our lives more convenient, it also means that more and more data is now being stored online or in the cloud. Most organizations that we work with do not have the expertise or infrastructure in information systems to handle the data that is being generated and, therefore, outsource the data handling, storage and processing to companies. The Trust Services Principles list some of the most important criteria when it comes to data storage that service providing companies must adhere to.
A SOC2 report usually reviews the infrastructure and controls put in place by a service organization in compliance to the Trust Services Principles. The SOC 2 Type I report also includes comment on the suitability of the controls put in place by the service organization for the services that it provides and the clients that it works with. The detailed SOC2 Type II report actually tests these controls for their effectiveness in real life scenarios and over a prolonged period of time to ensure that the service organization actually follows them in their day-to-day practice. The Type II report contains all the details of the test carried out and the performance of the service organization in these tests that enabled them to be given a clearance in the audit. Thus, the Type II report contains sensitive information about the infrastructure and controls of the service organization that can only be viewed by its clients, who can then make their recommendations to the service organization depending on their own requirements.
Given the sensitivity of the information in the SOC 2 reports and malicious intent of wrongdoers on the internet who are always seeking a gap in the information systems that they can exploit for their own benefit, a service organization cannot share its SOC2 audit report with their prospective clients. A successful completion of a SOC 2 audit is an extremely challenging task that companies spend a lot of resources to get to. Not only is the report a proof of their compliance to the Trust Services Principles, it also gives them a competitive edge over other similar companies that have not completed this audit.
The SOC 3 audit report is redaction of the SOC 2 Type II audit report that allows service organizations to publicly share sufficient information about their information system infrastructure, controls and their effectiveness, without jeopardizing any of their clients or their own infrastructure. This report can be shared on their website or along with their marketing material or project applications without any risk to the data that they are storing or processing. The audit report is also a good option for those potential customers who are seeking to verify that the service organization has completed a SOC 2 Type II audit but are not technically competent to make effective use of the audit report. Typically, a SOC 3 audit report contains all the information that is available in the SOC2 report except anything that is proprietary or confidential in nature.