Service Organization Compliance - So Many Frameworks, So Little Time
posted Jul 12, 2016 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
I frequently speak with clients and service organizations who express their frustrations over the numerous standards and frameworks that exist for measuring information technology controls’ compliance. Whether its HIPAA, NIST, ISO, HITRUST, CSA, CoBIT, PCI, (fill in your favorite acronym here), organizations are subjected to potentially significant costs in addressing the preferences of individual customers and prospects. Luckily, something called a SOC 2+ Report can help—learn more:
SOC 2+ Reports
Fortunately, Service Organization Control (SOC) reporting has evolved to address these competing interests. The AICPA has taken steps to address this dilemma by providing service organizations and their auditors with mapping to bridge the criteria between SOC 2 reports and some of the frameworks identified above. These types of reports are considered “SOC 2+” reports.
Valuable Benefits of SOC 2+ Reports
The SOC 2+ report expands upon the mapping in that the auditor’s opinion is modified to include the applicable framework (in addition to the SOC 2 Trust Services Principles). SOC 2+ reports are available for the following frameworks:
ISO 27001 (International Standards Organization)
COBIT 5 (Control Objectives for Information and Related Technology)
NIST 800-53 R4 (National Institute of Standards and Technology)
HIPAA (Health Insurance Portability and Accountability Act)
Cloud Security Alliance (“CSA”) Cloud Control Matrix
HITRUST (Health Information Trust Alliance)
This is great news for service organizations since it allows them to “kill two birds with one stone”.
Utilizing the SOC2+ reports provide an excellent vehicle for these entities to address multiple frameworks under one reporting engagement, thereby eliminating potential duplication of effort of staff time and significantly reducing costs associated with attaining multiple certifications.
The critical step in the process, however, is determining which framework(s) are appropriate and will address the majority of the user community and, perhaps, working with the user community to ensure that everyone’s objectives impacted by these projects are achieved.
If you are interested in learning more about SOC 2+ reports, my team and I are here to help.