SOC 3 isn’t an of upgrade over the SOC 2 report. It may have some of the components of SOC 2; still, it is entirely a different ball game. SOC 3 is a public facing summarized report of a SOC 2 Type 1 or 2 report. It is not as detailed as SOC 2 internal report. The SOC 3 report is a less technical and detailed audit report with a seal of approval which can be put up on your company’s website. Because it is less detailed and less technical, it might not contain the same level of internal details about business processes and operational controls as one might require for a deep dive into all security controls. A SOC3 is often created from a SOC2 report for external consumption by 3rd parties and clients.
Can I request a SOC Report from a Provider?
Yes, and you should. Any business should request and analyze a SOC report from prospective vendors. It’s a valuable piece of information to verify adequate controls are put in place and that the controls actually work effectively.
Source: InfoSecurity Magazine