A SOC 2 Plus Additional Subject Matter (SOC 2+) engagement allows a service auditor to assess a service organization’s compliance with the American Institute of Certified Public Accountants’ (AICPA) SOC 2 Trust Services Criteria (TSC), while at the same time reviewing compliance with other risk management frameworks, laws, standards, or regulations. SOC 2+ provides service organizations with a single, integrated internal control attestation report that addresses key areas from organizational, information technology, and regulatory controls and risks without having to go through multiple, separate audits.
The current SOC 2+ engagements that have been published for service auditor issuance by the AICPA include:
- SOC 2+ HITRUST
- SOC 2+ COBIT 5
- SOC 2+ GDPR
- SOC 2+ HIPAA
- SOC 2+ ISO/IEC 27001
- SOC 2+ NIST SP 800-53
- SOC 2+ NIST CSF
HITRUST is a company that delivers data protection standards and certification programs
HITRUST created the HITRUST Common Security Framework (HITRUST CSF), which is a certifiable and recommended framework trusted by many service organizations that create, access, store, and/or exchange sensitive and/or regulated data to manage risk. The HITRUST CSF certification is a way for service organizations to show that the in-scope systems within their environment meet the CSF’s rigorous standards and regulations. The CSF contains 14 control categories, made up of 49 control objectives and 156 security and privacy-related control specifications that are leveraged from a number of authoritative sources. Mappings between HITRUST CSF and SOC 2 controls show that overlap exists in multiple areas. Examples include 1) organization and management, design, implementation, and monitoring of controls, logical and physical access, systems operations, change management, and risk management.
COBIT 5 stands for Control Objectives for Information and Related Technology
COBIT 5 is a framework covering five principles for the management and governance of information technology. This framework helps service organizations meet business challenges in regulatory compliance, risk management, and aligning IT strategy with organizational goals. COBIT 5 defines 37 processes that are grouped into the following domains: 1) meeting stakeholder needs; 2) covering the enterprise end to end; 3) applying a single integrated framework; 4) enabling a holistic approach; and 5) separating governance from management. There is a strong overlap between SOC 2 and COBIT 5 regarding security, availability, confidentiality, and processing integrity controls.
GDPR stands for General Data Protection Regulation
GDPR is a regulation in the European Union (EU) regarding data protection and privacy in the EU and the European Economic Area. The GDPR is a component of EU privacy law and of human rights law. While the law was passed by the EU, it imposes obligations onto service organizations anywhere, as long as they target or collect data related to people in the EU. GDPR is a strong set of data protection rules, which enhance how people can access information about them and places limits on what service organizations can do with that personal data. There are seven key principles of GDPR that act as an overarching framework for service organizations to implement. The key principles are: lawfulness, fairness and transparency, purpose and limitation, data minimization, accuracy, storage limitation, integrity and confidentiality (security), and accountability. If a service organization is subject to GDPR, the level of effort will depend a lot on the maturity of the service organization and its privacy related controls. The good news is that a service organization that undergoes a SOC 2 that includes privacy will have a majority of its controls covered for GDPR.
HIPAA is a federal law known as the Health Insurance and Portability and Accountability Act of 1996 that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. There is the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule standards address the use and disclosure of individuals’ health information by service organizations subject to the Privacy Rule (known as covered entities). The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used – the law defines permitted uses and disclosures. The Security Rule was created to protect a subset of information covered by the Privacy Rule. The Security Rule has a specific focus on individually identifiable information a covered entity creates, receives, maintains, or transmits in electronic form, known as electronic protected health information (e-PHI) and does not apply to protected health information that is transmitted orally or in writing. The most common SOC 2+ engagement performed is SOC 2 + HIPAA. While some new controls will need to be added to the report, there are a number of overlapping controls between HIPAA and SOC 2.
ISO/IEC 27001 is governed by both the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The standard is an international standard that assists service organizations with managing their information security management systems and covers information security, cybersecurity and privacy protection requirements. The standard contains 114 controls that are divided into 14 domains. There are a limited number of ISO/IEC 27001 accredited certification bodies at this time. A reason why many service organizations choose to perform a gap analysis with a non-accredited certification body is the expense related to gaining certification. As a part of a SOC 2 + ISO/IEC 27001 report, a review of a service organization’s information security posture against the requirements of the applicable control requirements to the SOC 2 TSC is performed.
NIST SP 800-53
NIST SP 800-53 is a special publication (SP) cybersecurity standard and compliance framework that has been developed by the National Institute of Standards and Technology (NIST). Revision 5 is the most recent publication that covers security and privacy controls for information systems and service organizations. It contains over 1,000 controls that are divided into 20 control families. As a part of a SOC 2 report, 33 security control requirements are required and a service organization can choose to add on 18 additional controls covering privacy specific requirements. The mapping between the two frameworks allows service organizations to show that the majority of the NIST SP 800-53 control descriptions are being met through the SOC 2 security and privacy control requirements.
NIST Cybersecurity Framework
NIST Cybersecurity Framework has also been developed by NIST. This framework differs from NIST SP 800-53 in that it provides for a more flexible control set that aids a service organization in creating and maintaining its information security program, whereas NIST SP 800-53 is used as a compliance measure with granular controls defined. The NIST CSF includes 108 security controls. There is a strong overlap between SOC 2 and NIST CSF regarding data security controls.
SOC 2+ Reports
SOC 2+ reports are becoming more popular across many industries as they have allowed service organizations to save time and money. Service organizations are no longer having to use multiple auditing firms and are able to efficiently complete various types of audits at the same time under one report. By having the ability to provide a single, integrated internal control attestation report, it reduces the amount of execution time needed by a service organization when assurance requests from customers and their auditors are received. Additionally, these reports give a greater level of assurance as the internal control requirements reviewed are required from more than one governing body.