Realizing the benefits of SOC 2+ reporting

Jaclyn Dettloff, Vikas Sharma
3/5/2024
Realizing the benefits of SOC 2+ reporting

SOC 2+ reports are gaining traction in the market. Learn the advantages of adding a SOC 2+ report to your assurance program.

SOC reports continue to be a central component of third-party assurance programs, allowing third-party service providers to showcase their commitment to strong internal controls to their customer base through a single widely recognized and accepted report deliverable.

Yet as compliance and assurance needs continue to evolve for both service providers and their customers, many organizations are looking beyond the established SOC 1 and SOC 2 reports. SOC 2+ reports have emerged as an increasingly popular option for organizations looking to further distinguish themselves through their demonstrated focus on security and compliance.

Learn more about how SOC 2+ reporting differs from SOC 2, when this option makes sense, and how to develop a SOC 2+ reporting approach to support your organizational goals.

Dive deeper into the nuances of SOC 2+ reporting
Crowe specialists walk through the process in the webinar “Double the Value: SOC 2+ Reporting.”

SOC 2+ reports

As its name suggests, a SOC 2+ report is a variation of a SOC 2 report that incorporates a second control framework in addition to the American Institute of CPAs (AICPA) trust services criteria categories used in SOC 2 reports. The trust services categories address controls related to one or more of the following aspects of a service organization’s services and the related customer and end-user information handled as part of those services:

  • Security
  • Availability
  • Confidentiality
  • Processing integrity
  • Privacy

Including a second framework via a SOC 2+ report provides additional assurance beyond what is typically included in a SOC 2 report. As a result, third parties have greater flexibility and coverage in addressing their customers’ assurance needs, helping to reduce individual customer audit and questionnaire requests.

Here’s another advantage: While the degree of overlap between an organization’s existing SOC 2 controls and the requirements of the selected second framework varies, there is significant overlap with the most common SOC 2+ options. For most organizations, this results in a near “two-for-one” deal, as they can add a second framework that provides an in-depth view of their controls without a significant increase in effort to undergo annual SOC examination procedures or maintain ongoing compliance.

Summary of SOC 2+ benefits

For report users For service organizations
Same recognizable report deliverable structure as with SOC 2 Streamlined and integrated audit experience and report deliverable 
Greater assurance from evaluation against two frameworks, with additional technical or industry-specific coverage Increased market credibility from highlighting depth and maturity of control environment
Increased coverage for vendor risk management program requirements (for example, assessments and questionnaires) Reduced effort to manually respond to customer requests

A closer look: Second framework options

Service organizations that opt for a SOC 2+ report should select the second framework that best aligns with their industry, regulatory and compliance requirements, and customer expectations.

For example, customers might contractually require certain security practices that are mandated through a specific industry framework, such as HIPAA or the HITRUST CSF® for healthcare. By including the industry framework in a SOC 2+ report, service organizations can centrally address customer needs.

In other cases, a service organization might already have developed and aligned its information security program to an established framework, such as International Organization for Standardization (ISO) 27001 or the National Institute of Standards and Technology (NIST) Cybersecurity Framework, allowing the organization to take credit for its existing controls through a SOC 2+ report and distinguish itself from other organizations with traditional SOC 2 reports.

Following are the most common frameworks included in SOC 2+ reports, along with the key drivers for selection and the additional controls included in that framework compared to a typical SOC 2 report.

One important disclaimer for frameworks that offer certification options (for example, ISO 27001 or the HITRUST CSF): Including a certifiable framework within a SOC 2+ report will not result in certification; it will result only in an independent opinion on the controls in place to address that framework’s requirements. If an organization specifically requires certification, the service organization would need to separately pursue and meet that organization’s requirements for certification.

 

HIPAA Security Rule
  • Security standards to protect personal health information (PHI)
  • Popular with service organizations within healthcare or that serve customers in healthcare
  • Most of the implementation specifications typically covered by SOC 2 controls related to Security and Availability
Control area Additional control requirements
Entity-level controls
  • Employee sanctions for noncompliance
  • Enterprise data retention minimum of six years
  • Business associate agreements
IT operations
  • Facility maintenance records
  • Business continuity and contingency plans
Information protection
  • Emergency access
  • Monitoring login attempts
  • Workstation security and portable media
  • Encryption of electronic PHI

 

HITRUST CSF
  • Comprehensive information protection framework with control areas similar to SOC 2
  • Popular with service organizations within healthcare or that serve customers in healthcare
  • At least half of the 75 control references typically covered by SOC 2 controls related to Security and Availability
Control area Additional control requirements
Entity-level controls
  • Clean desk, mobile devices, and teleworking policies
  • Independent review of information security program
  • Outsourced software development arrangements
IT operations
  • Inventories and asset management
  • Business continuity program documentation
Information protection
  • Restriction of unauthorized software
  • Audit log content and retention
  • Network segregation and sensitive system isolation
  • Secure information exchange

 

ISO 27001
  • Global information security standard
  • Resonates with international customers and within technology industry
  • Up to half of the Annex A controls typically covered by SOC 2 controls related to Security, Availability, Confidentiality, and Privacy
Control area Additional control requirements
Entity-level controls
  • Information security management system documentation
  • Nondisclosure and confidentiality agreements
  • Supply chain management
IT operations
  • Processing redundancy
  • Project management security considerations
Information protection
  • Secure coding practices
  • Configuration management
  • Data masking
  • Web filtering

 

Cloud Security Alliance Cloud Controls Matrix
  • Cybersecurity control framework for cloud computing
  • Allows for greater coverage of cloud-specific security risks
  • At least half of the control specifications typically covered by SOC 2 controls related to all five criteria categories
Control area Additional control requirements
Entity-level controls
  • Supply chain management
  • Data security and privacy life cycle management 
IT operations
  • Endpoint management
  • Virtualization
  • Data input and output integrity routines 
Information protection
  • Application programming interfaces
  • Infrastructure hardening
  • Cryptography, encryption, and key management
  • Log protection 

Work with Crowe SOC specialists

Crowe brings deep expertise, agility, and responsiveness to SOC reporting. Contact us to learn more about our personalized approach and how we can meet your organization’s requirements. 
Jaclyn Dettloff
Jaclyn Dettloff
Partner, IT Assurance
Vikas Sharma
Vikas Sharma
Principal, IT Assurance