Many small business owners and mid-sized organizations take cybersecurity seriously, especially for regulatory obligations like HIPAA or PCI DSS. Before selecting a cloud services provider, these companies perform due diligence. But when smaller organizations ask to see a SOC 2 report to confirm the vendor’s data security practices, it’s common for the request to get rejected. Aren’t SOC 2 reports public information?
Do Organizations Share SOC 2 Reports With the Public?
Most types of SOC 2 reports are not public information. A vendor’s website may have a trust badge that says “SOC 2 Certified,” but the company isn’t likely to show you the audit report.
Microsoft only makes its SOC 2 Type 2 reports available to Office 365 cloud customers. Amazon also limits SOC 2 reports to its AWS clients. Many SaaS providers follow similar restrictions.
SOC 3 Reports and Compliance Information
This doesn’t mean that organizations are unwilling to prove their compliance with the SOC 2 Trust Services Criteria, or trust principles. The opposite is true. Companies want to brag about the strength of their cybersecurity, privacy, and safety.
That’s why vendors often have web pages that outline their commitment to SOC 2, their program scope, and similar compliance highlights. Some also provide SOC 3 reports, which are designed to be public documents.
Shopify goes this route. SOC 3 reports offer a security overview without going into technical details.
Why Aren’t SOC 2 Reports Public Information?
SOC 2 Type 1 and Type 2 reports list an organization’s specific policies, controls, and risk mitigation procedures for data security. The report is the result of a comprehensive audit performed by a certified public accountant or an AICPA-backed firm.
SOC 2 Type 2 reports contain dozens of pages that outline onsite inspections and document reviews. The finalized report shares the auditor’s findings. These can include the system’s strengths and weaknesses.
The document reads like a SOC 2 checklist, often mentioning missed controls, corrective actions taken, proprietary technology for risk mitigation, and other sensitive data.
Cybercriminals would love to get their hands on this information. Knowing how a target’s cybersecurity is configured or where potential vulnerabilities are would be a gold mine.
Should You Share a SOC 2 Report?
If your business is on the other side of the coin, you may wonder if sharing a SOC 2 report is a good idea. The answer depends on who is asking for it.
It’s normal for business customers to request a copy. They may even be the reason why you’re pursuing SOC 2 certification in the first place.
Make SOC 2 Type 2 reports available to legitimate clients on request. Keep in mind that the report is valid for one year.
In the case of leads and the general public, it’s best to keep your specific controls and cybersecurity procedures vague. Show what you can do, not how you do it.
Follow Best Practices for SOC 2 Reports
At Compyl, we’re experts in SOC 2, HITRUST, PCI DSS, and other cybersecurity frameworks. Our advanced data tracking and compliance automation platform has helped countless organizations maintain SOC 2 compliance year after year.
Contact us to learn more about the SOC 2 certification process and how Compyl can simplify it for your organization.
