Can you have a SOC 3 without a SOC 2?

A Service Organization Control (SOC) report is an important assurance mechanism that helps organizations demonstrate their commitment to effective security and privacy controls. There are different types of SOC reports, including SOC 1, SOC 2, and SOC 3. While SOC 2 and SOC 3 reports share some similarities, they also have distinct characteristics.

SOC 2: A Deeper Look

SOC 2 reports focus on a service organization's controls relevant to one or more Trust Services Criteria (TSC), which include security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports provide detailed information about the design and effectiveness of these controls and are intended for restricted distribution to stakeholders who need a deeper understanding of the organization's security posture.

SOC 3: A Summary Report

SOC 3 reports, on the other hand, provide a high-level summary of an organization's controls without disclosing specific details about the control activities. They are designed for public distribution and can be used as marketing tools to assure customers and other stakeholders that the organization has implemented appropriate controls to safeguard their data. SOC 3 reports include an opinion from an independent auditor and a seal of compliance that can be displayed on the organization's website.

Interdependencies: SOC 3 and SOC 2

In most cases, organizations will pursue a SOC 2 examination prior to obtaining a SOC 3 report. The SOC 2 examination serves as a foundation for the SOC 3 report because it provides a comprehensive evaluation of the controls in place. The SOC 3 report acts as a "bridge" between the more technical SOC 2 report and the general public. It distills the essential information from the SOC 2 report into an easier-to-understand format.

While it is technically possible to have a SOC 3 report without a SOC 2, it may not be the most practical approach. Without a SOC 2 examination, organizations might struggle to provide the necessary level of detail and assurance in their SOC 3 report. However, the decision to pursue either report ultimately depends on the organization's specific needs and requirements, as well as the preferences of its stakeholders.

In conclusion, SOC 3 reports offer a simplified summary of an organization's controls, while SOC 2 reports provide more detailed information about those controls. While having a SOC 2 examination is not a strict requirement for obtaining a SOC 3 report, it is generally recommended to ensure comprehensive assurance and transparency.