Management, compliance & auditing

SOC 3 compliance: Everything your organization needs to know

What does SOC 3 stand for?

SOC 3 stands for System and Organization Organization Controls (SOC) 3. The American Institute of CPAs has defined a few different SOC certifications, of which SOC 3 is one.

What is SOC 3 compliance?

A service organization may seek SOC 3 compliance to demonstrate its ability to provide certain services to the general public. The AICPA defines five Trust Services Criteria (TSCs) for SOC 3 compliance, including:

• Security
• Confidentiality
• Availability
• Processing integrity
• Privacy

During an SOC 3 compliance audit, an organization may choose to have the CPA performing the audit test its controls for one or more of these TSCs. The Security TSC is required for all audits, but a company may choose to be assessed against any or all of the remaining four. For example, a cloud services provider may elect to be tested against the Availability TSC to demonstrate that it provides a reliable service to its customers.

What is an SOC 3 report?

An SOC auditor generates an SOC 3 report to attest that an organization has completed a third-party assessment by a CPA firm and has been found to comply with the requirements of the desired TSCs. This report can then be presented to customers to build confidence and trust in the provider’s services.

SOC reports are intended for distribution to the general public. For example, AWS includes its SOC 3 report as a publicly accessible download.

ISO 27001 vs SOC 3

ISO 27001 and SOC 3 are designed to evaluate a service provider’s ability to securely provide contracted services. Significant overlap exists between the security controls for both standards, and the AICPA has provided mappings between the 2017 SOC TSCs and ISO 27001 and other frameworks.

However, these two certifications do differ in a few different ways. The two standards include different required controls developed by various organizations and have other processes for achieving compliance and renewal requirements.

A major difference between ISO 27001 and SOC 3 is that they are largely intended for different audiences. In most cases, companies pursue an ISO 27001 certification to validate their data security controls to corporate customers, auditors, stakeholders, etc. In contrast, an SOC 3 report provides a high-level attestation of compliance designed for consumption by the general public.

SOC 1 vs. SOC 3

SOC 1 and SOC 3 are both standards developed by the AICPA. However, these two standards are designed to evaluate different factors and are intended for different audiences.

SOC 1 is focused on how a service provider’s business may impact the financial reporting of its customers. For example, if a company outsourced payment processing to a third-party provider, its customers have financial implications. An SOC 1 report verifies that a service provider has the necessary controls in place and is intended for a professional audience.

In contrast, SOC 3 compliance is designed to build trust and confidence in a service provider’s ability to provide a service while properly protecting data entrusted to it. Additionally, SOC 3 reports are intended for the general public, not a professional audience.

SOC 2 vs. SOC 3

SOC 2 and SOC 3 compliance are much more similar than SOC 1 and SOC 3. Both are designed to evaluate a service provider against the same set of TSCs defined by the AICPA.

That said, SOC 2 and SOC 3 differ in a few major ways, including:

• Report types: SOC 2 (and SOC 1) have Type 1 and Type 2 reports. A Type 1 report provides a snapshot of compliance for single security control. A Type 2 report involves testing a service provider’s controls over a set period (six months, a year etc.). While companies can choose between Type 1 and Type 2 compliance for SOC 2, all SOC 3 reports are “Type 2” with an extended evaluation period.
• Intended audience: Like an SOC 1 and ISO 27001 report, SOC 2 reports are for a professional audience.If a corporate customer requests the right to audit an organization’s operations, a service provider may respond to an SOC 2 report. In contrast, an SOC 3 report is designed to be posted on a website for public consumption.

SOC 3 compliance checklist

No formal checklist exists for preparing for an SOC 3 audit. Some important steps to take include:

• Choose the right report: SOC 3 reports are intended for a general audience. To demonstrate compliance to a corporate customer or auditor or if your organization deals with financial data in any way, choose an SOC 1 or SOC 2 audit instead.
• Select TSCs: SOC 3 compliance only requires an assessment against the Security TSC. However, other TSCs may also be relevant for your organization.
• Identify regulatory crossovers: many SOC 3 compliance requirements are shared with other regulations. Take advantage of the AICPA’s cross-regulatory mappings to simplify the compliance process.
• Perform a gap analysis: the compliance requirements for each TSC are published by the AICPA. While these do not mandate specific controls, you should be able to demonstrate to an auditor that you have controls in place to meet each requirement.
• Close the gaps: before undergoing an audit, implement any missing policies, procedures or controls identified during the gap assessment.
• Engage an auditor: CPA firms perform SOC 3 audits. Ideally, look for one with experience in SOC audits within your particular industry.

 

Sources

• SOC 1 vs. SOC 2 vs. SOC 3, WorkOS
• System & Organization Controls (SOC) Reporting, Baker Tilly
• SOC 3 Report, AWS
• Mappings Relevant to the SOC Suite of Services, AICPA
• Compliance, ScaleMatrix
• 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, AICPA