A closer look: Second framework options
Service organizations that opt for a SOC 2+ report should select the second framework that best aligns with their industry, regulatory and compliance requirements, and customer expectations.
For example, customers might contractually require certain security practices that are mandated through a specific industry framework, such as HIPAA or the HITRUST CSF® for healthcare. By including the industry framework in a SOC 2+ report, service organizations can centrally address customer needs.
In other cases, a service organization might already have developed and aligned its information security program to an established framework, such as International Organization for Standardization (ISO) 27001 or the National Institute of Standards and Technology (NIST) Cybersecurity Framework, allowing the organization to take credit for its existing controls through a SOC 2+ report and distinguish itself from other organizations with traditional SOC 2 reports.
Following are the most common frameworks included in SOC 2+ reports, along with the key drivers for selection and the additional controls included in that framework compared to a typical SOC 2 report.
One important disclaimer for frameworks that offer certification options (for example, ISO 27001 or the HITRUST CSF): Including a certifiable framework within a SOC 2+ report will not result in certification; it will result only in an independent opinion on the controls in place to address that framework’s requirements. If an organization specifically requires certification, the service organization would need to separately pursue and meet that organization’s requirements for certification.
HIPAA Security Rule |
- Security standards to protect personal health information (PHI)
- Popular with service organizations within healthcare or that serve customers in healthcare
- Most of the implementation specifications typically covered by SOC 2 controls related to Security and Availability
|
Control area |
Additional control requirements |
Entity-level controls |
- Employee sanctions for noncompliance
- Enterprise data retention minimum of six years
- Business associate agreements
|
IT operations |
- Facility maintenance records
- Business continuity and contingency plans
|
Information protection |
- Emergency access
- Monitoring login attempts
- Workstation security and portable media
- Encryption of electronic PHI
|
HITRUST CSF |
- Comprehensive information protection framework with control areas similar to SOC 2
- Popular with service organizations within healthcare or that serve customers in healthcare
- At least half of the 75 control references typically covered by SOC 2 controls related to Security and Availability
|
Control area |
Additional control requirements |
Entity-level controls |
- Clean desk, mobile devices, and teleworking policies
- Independent review of information security program
- Outsourced software development arrangements
|
IT operations |
- Inventories and asset management
- Business continuity program documentation
|
Information protection |
- Restriction of unauthorized software
- Audit log content and retention
- Network segregation and sensitive system isolation
- Secure information exchange
|
ISO 27001 |
- Global information security standard
- Resonates with international customers and within technology industry
- Up to half of the Annex A controls typically covered by SOC 2 controls related to Security, Availability, Confidentiality, and Privacy
|
Control area |
Additional control requirements |
Entity-level controls |
- Information security management system documentation
- Nondisclosure and confidentiality agreements
- Supply chain management
|
IT operations |
- Processing redundancy
- Project management security considerations
|
Information protection |
- Secure coding practices
- Configuration management
- Data masking
- Web filtering
|
Cloud Security Alliance Cloud Controls Matrix |
- Cybersecurity control framework for cloud computing
- Allows for greater coverage of cloud-specific security risks
- At least half of the control specifications typically covered by SOC 2 controls related to all five criteria categories
|
Control area |
Additional control requirements |
Entity-level controls |
-
Supply chain management
- Data security and privacy life cycle management
|
IT operations |
-
Endpoint management
- Virtualization
- Data input and output integrity routines
|
Information protection |
-
Application programming interfaces
- Infrastructure hardening
- Cryptography, encryption, and key management
- Log protection
|