SOC 2 vs. SOC 3: Similarities and Differences
We often get asked by prospects and customers whether they should get a SOC 2 or SOC 3 certification, and what their similarities and differences are. So, we decided to get you the right answers straight from our kickass CISO Jose Costa (and if you've never met him before, he's a real security and compliance OG having been a former partner at PwC):
According to Jose, SOC 3 is "pretty much the same as a SOC 2 in terms of controls". Auditors perform the same work for both SOC 2 and SOC 3, so you might as well get just the SOC 2.
Compared to a SOC 2, a SOC 3 certification for B2B companies is "not very useful" according to Jose because SOC 3 doesn't share any of the details and results of the controls your auditor tested. A SOC 3 report only shows your auditor's opinion of how you did during the audit.
In turn, during your customers' due diligence on you, they most likely won't accept a SOC 3 report. But if you're at a B2C company, then a SOC 3 might be good enough proof showing your org follows good security practices at a high level.
Note that we don't want to dissuade you from getting a SOC 3 cert if you want it. But, as part of our mission to demystify and automate security, we want to make sure you get the candid truth.
To Get a SOC 2 or SOC 3? Or Both?
Like we've said before when advising prospects and customers, get the SOC certification that your customers have explicitly asked you to get. Now, that's not to say you should blindly follow your customers' requests. You also need to make sure that the certification (regardless of SOC 1, 2, 3, or Cyber) makes the most sense for your business.
As Liam Collins, Partner at Armanino, mentioned at our virtual roundtable, this is a prime example to ask your auditor to have your back! Your auditor can speak with your customer to clarify which certification is really needed AND set expectations upfront about what cert would meet both their requirements and your organization's capabilities.