SOC 2 vs. SOC 3: Similarities and Differences

We often get asked by prospects and customers whether they should get a SOC 2 or SOC 3 certification, and what their similarities and differences are. So, we decided to get you the right answers straight from our kickass CISO Jose Costa (and if you’ve never met him before, he’s a real security and compliance OG having been a former partner at PwC):


According to Jose, SOC 3 is “pretty much the same as a SOC 2 in terms of controls”. Auditors perform the same work for both SOC 2 and SOC 3, so you might as well get just the SOC 2.


Compared to a SOC 2, a SOC 3 certification for B2B companies is “not very useful” according to Jose because SOC 3 doesn’t share any of the details and results of the controls your auditor tested. A SOC 3 report only shows your auditor’s opinion of how you did during the audit.

In turn, during your customers’ due diligence on you, they most likely won’t accept a SOC 3 report. But if you’re at a B2C company, then a SOC 3 might be good enough proof showing your org follows good security practices at a high level.

Note that we don’t want to dissuade you from getting a SOC 3 cert if you want it. But, as part of our mission to demystify and automate security, we want to make sure you get the candid truth.

To Get a SOC 2 or SOC 3? Or Both?

Like we’ve said before when advising prospects and customers, get the SOC certification that your customers have explicitly asked you to get. Now, that’s not to say you should blindly follow your customers’ requests. You also need to make sure that the certification (regardless of SOC 1, 2, 3, or Cyber) makes the most sense for your business.

As Liam Collins, Partner at Armanino, mentioned at our virtual roundtable, this is a prime example to ask your auditor to have your back! Your auditor can speak with your customer to clarify which certification is really needed AND set expectations upfront about what cert would meet both their requirements and your organization’s capabilities.

Regardless of whether you decide to get a SOC 2 or SOC 3, the Tugboat platform’s library of policies and controls will make sure you’re good to go for either (or both!) certifications. You can schedule time to see the platform in action, or create a trial account to get started on your SOC (or any other) certification. Note that your trial account will be exactly the same thing that our customers use, so what you see is what you get.

Related Articles

What Is a SOC 2 Audit?

What Is a SOC 2 Audit?

In this article, we’ll define, in plain language, the basic components of a SOC 2 audit and give you the information you need to start formulating a plan of attack.

read more
Backup and Recovery Process: Choose It or Lose It

Backup and Recovery Process: Choose It or Lose It

Despite our best efforts, sometimes things go wrong. The best way to handle situations should they arise, is to have a plan to act in advance, and keep that plan updated when threats change. This not only covers risks to your data by bad actors but plans in the event of a server outage or a natural disaster as a few examples.

read more


Submit a Comment

Pin It on Pinterest

Share This