SOC 2 + is growing in popularity to combine a commonly accepted information security standard with other specific requirements.
The SOC 2 Trust Services Criteria combines Common Criteria (33) for information security, as well as optional criteria to include Availability (3), Confidentiality (2), Processing Integrity (5), and Privacy (23). SOC 2 is the often referred to as the most commonly accepted standard, which is general purpose in nature, and already covers a lot of ground between the five criteria areas.
The underlying attestation standards (ATC 105 and 205, ASAE 3150, ISAE 3000), are also very flexible for reporting over other requirements, criteria, and even regulations. These standards set out how audit firms can specify the criteria or control objectives in a report, and then communicate a service organisations controls that meet those objectives. A common way to use that flexibility is the so-called "SOC 2+", which includes both the Trust Services Criteria, and additional objectives like:
- HIPAA: The Health Insurance Portability and Accountability Act
- CDR: Australia's Consumer Data Right Accreditation for Open Data
- CSA STAR Level Two: Cloud Security Alliance Certification
- GDPR: General Data Protection Regulation (EU)
- CCPA: California Consumer Privacy Act
- ESG: Environmental, Social, Governance (Sustainability Reporting)
- Financial: Specific objectives related to financial reporting
- Service assurance: Specific objectives related to committed services
.... And many more!
How does SOC 2+ Work?
SOC 2+ is really easy to implement. Especially when using software like our award-winning readiness assessment that maps a tailored set of your controls across multiple selected standards. By using that, or manually compiling your own framework, you set out your control activities that meet the SOC 2 criteria as well as any "+" objectives you want to include in the report. Ideally that won't have any duplication, which is one of the key benefits in how our software works. Then you complete the audit of those controls, prepare the system description, and issue the SOC 2+ report that covers both (or all) areas selected for inclusion.
Are there challenges with SOC 2+?
The main challenge we see is businesses planning what to include in a SOC 2+ report and lining it up with their business goals and timing. For example, we commonly do SOC 2+ HIPAA, and SOC 2+ CDR.
In a lot of cases, this is a single reporting plan tied to two separate requirements and business goals. In the case of HIPAA that might be satisfying a specific enterprise healthcare customer to land a licensing deal. For CDR, that's becoming accredited to use the open data sharing. And in both cases, SOC 2 is often driven by a broader market focus and satisfying enterprise customers.
Those variances can lead to different priorities. If one part is more urgent and the work involved in the other part may hold it up, then that can cause planning headaches. We address this challenge by offering some flexibility to de-couple the two areas and business goals. We can issue a separate SOC 2 report, HIPAA report, and/or ASAE 3150 report for CDR attestation, if required, rather than the combined SOC 2+ approach.
How do you use a SOC 2+ report?
A SOC 2+ report is simply a combined version of SOC 2 and the additional area(s) you include. And so it's used the same. You share the SOC 2 report with existing customers, prospects, partners, and whoever else you need, under an NDA and appropriate terms.
The additional part is used as it's relevant by sharing the same report. For SOC 2+ CDR, the report is given to the ACCC for accreditation or a CDR Principal for a CDR Representatives arrangement. For SOC 2+ CSA, the report is provided to CSA for accreditation to the CSA STAR Level 2 attestation standard. For SOC 2+ HIPAA, it's given to enterprise customers; some may not care as much about HIPAA, but it's there for those that do.
How do you get started with a SOC 2+ plan?
Our recommendation is having a chat with us. We work with lots of cloud software companies, and regularly speak to enterprise, regulators, and others, about the state of the market.
We can guide you on which areas are beneficial to your industry, your customers needs, and your business goals. Based on the huge overlap in standards, and the flexibility of this SOC 2+ approach, we offer bundles of standards to help our clients remove the headaches of picking which ONE standard is best for them.
By covering multiple in a SOC 2+ approach, you gain major efficiencies, demonstrate a higher commitment to data security and privacy, and cover more bases in what your customers and prospects want to see. That removes the friction for enterprise sales so you can grow your business.
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.