Editor’s Note: This blog was originally written in 2016 but has been updated as of October 5, 2021 for accuracy and comprehensiveness.

Complying with the numerous standards and frameworks that exist for measuring information technology controls’ compliance can be frustrating for service organizations. Whether it's HIPAA, NIST, ISO, HITRUST, CSA, CoBIT, PCI, GDPR (fill in your favorite acronym here), not to mention the separate framework on Cybersecurity, organizations are subjected to potentially significant costs to address the preferences of individual customers and prospects. Luckily, something called a SOC 2+ Report can help—learn more:

What is a SOC report?

Check out our blog, What is a SOC Audit? for the details but essentially, a System & Organization Control (SOC) audit is a report on the internal controls at a service organization (a business who provides services to other entities). SOC audits are a great way for customers to ensure that service providers are practicing safe and secure controls and protecting personal data.

SOC 2+ Reports

Fortunately, System & Organization Control (SOC) reporting has evolved to address these competing interests mentioned in the first paragraph. The AICPA has taken steps to address this dilemma by providing service organizations and their auditors with mapping, to bridge the criteria between SOC 2 reports and some of the frameworks identified above, and the use of SOC 2 reports internationally, whereby the AICPA has expanded the SOC 2 examination to reporting in accordance with International Standards on Assurance Engagements (ISAEs) or in accordance with both the AICPA’s attestation standards and the ISAEs. These types of reports are considered “SOC 2+” reports.

Valuable Benefits of SOC 2+ Reports

The SOC 2+ report expands upon the mapping in that the auditor’s opinion is modified to include the applicable framework (in addition to the SOC 2 Trust Services Principles). SOC 2+ reports are available for the following frameworks:

• ISO 27001 (International Standards Organization)
• COBIT 5 (Control Objectives for Information and Related Technology)
• NIST 800-53 (National Institute of Standards and Technology)
• NIST CSF (Common Security Framework)
• HIPAA (Health Insurance Portability and Accountability Act)
• Cloud Security Alliance (“CSA”) Cloud Control Matrix
• HITRUST CSF (Health Information Trust Alliance Common Security Framework)
• GDPR (General Data Protection Regulation)

This is great news for service organizations since it allows them to “kill two birds with one stone”.

Utilizing the SOC2+ reports provide an excellent vehicle for these entities to address multiple frameworks under one reporting engagement, thereby eliminating potential duplication of effort of staff time, thereby substantially creating efficiencies and significantly reducing costs associated with attaining multiple certifications.

Any challenges?

The critical step in the process, however, is determining which framework(s) are appropriate and will address the majority of the user community and, perhaps, working with the user community to ensure that everyone’s objectives impacted by these projects are achieved.

If you are interested in learning more about SOC 2+ reports, our team is here to help. Reach out to us today.

It’s Cybersecurity Awareness Month! We’ll be sharing information throughout the month of October regarding your cybersecurity. Register for our webinar, Planning Your Prevention Strategy: Actionable Insights Into How Organizations Can Prepare for Security Threats.