For those or you who do not know, we will start explaining what are SOC 2 reports (sucessors to the famous SAS 70 reports). To begin with, SOC means Service Organization Controls and there are three types of them:
The difference between SOC 2 and SOC 3 reports is that, while the former includes a detailed understanding of the design of controls at service organization and tests performed by the service auditor to support his/her conclusions on the operating effectiveness of those controls, the last only provides the auditor's opinion on whether the service organization maintains effective controls over its systems. For this reason, SOC 2 reports are intended for an exclusive distribution list and are restricted-use reports (they can be distributed to any customer with the service organization's agreement), while SOC 3 reports are intended for general use and can be freely distributed via use of the AICPA SOC 3 web site.
Focusing on SOC 2 reports, it is important to mention that are also two types: Type 1 (design of controls only and only at a specific point in time) and Type 2 (design and operating effectiveness of controls covering a period of time).
Finally, all SOC 2 reports have the same content:
Ultimately, SOC 2 reports involve an effort to normalize audit reports, so that they can be reused and understood by all their potential users in the most easy way.
And although, obviously, SOC 2 reports means a big evolution, they still demands an important effort to interpret from the potential user that, in our opinion, is their main weak point because it makes the user to:
As a conclusion, although this reports could be useful in some situations, they do not solve the flexibility issue needed for this type of environments and they still require an interpretive effort and strong knowledge from the potential users of services.
From leet, as security rating agency, consider that our proposal is more intuitive and flexible, because instead of define minimum control levels, it defines a metric for vendors and users to reach a meeting point between what one needs and the other, offers.