SOC 2 Section 3 Template

What is the SOC 2 Section 3 template?

An important part of the SOC 2 preparation is the draft of Section 3 by the service organization. Section 3 includes important information regarding the people, processes, and technology that support your product or service. Companies often write their own descriptions, which serve as an overview of the organization’s systems and controls in place.

Section 3 is arguably the most critical section of the SOC 2 report. The description of the infrastructure and boundaries of the systems would allow an external reviewer to determine whether or not your system components are effectively protecting your customer data.

There are the eight components that the AICPA recommends including in the system description:

1. Types of services provided.
2. Principal service commitments and system requirements
3. Components of the system
4. Trust services criteria and corresponding controls
5. Complementary user entity controls
6. Complementary subservice organization controls
7. System incidents
8. Significant changes to the system during the period

Before your audit starts, your auditor will ask for a section 3 report. Auditors usually have a template ready and so do we.

How do I use it?

Take a first pass at reading the template throughout and then fill out all the highlighted yellow prompts within the template accurately.

Value to the organization?

Before your audit starts, your auditor will ask for a section 3 report. We save you time by givng you a template. The template does require updates, but the heavy load of writing the template has been done for you.

Please download the template here:

SOC 2 Section 3 template