Tired of Preparing Multiple Reports for Overlapping Compliance Requirements? SOC 2+ May be Just What the Doctor Ordered.

If you’ve ever had a compliance project in which you needed to demonstrate compliance with SOC 2 as well as one or more additional security or privacy laws or standards, you may have found the effort to be much more cumbersome and time consuming than it needed to be. You may have asked yourself, “why do we need to prepare and submit multiple compliance reports when much of the information is common to the standards we’re trying to comply with?”

The good news is that SOC 2+ can significantly streamline your compliance process by allowing you to create a single report for many of the standards you are certifying for, eliminating the need to repeat controls and results that are common to multiple standards.

In this blog post, we’ll provide an overview of SOC 2, SOC 2+, and the benefits you can achieve by moving to SOC 2+.

What Is SOC 2?

SOC 2 (System and Organization Controls) is a compliance standard that specifies how service organizations should manage customer data. Developed by the American Institute of CPAs (AICPA), a non-profit professional organization of certified public accountants, SOC 2 defines criteria for managing customer data based on five “trust service categories”: security, availability, processing integrity, confidentiality, and privacy.

SOC 2 reports are used by stakeholders and current or prospective customers to assess the suitability of your internal controls for meeting their specific needs. The reports document how your management of customer data complies with the trust service categories and criteria within.

There are two types of SOC 2 reports:

• Type 1 – Reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
• Type 2 – Reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

To achieve SOC 2 compliance, organizations must undergo a SOC 2 compliance assessment with information security specialists and the attestation must be signed by a Certified Public Accountant (CPA).

What Is SOC 2+?

AICPA allows auditors to examine, report on, and assess compliance with SOC 2 while at the same time reviewing compliance with other security and privacy laws and standards[1] such as:

• Germany’s Cloud Computing Compliance Controls Catalog (C5)
• HIPAA
• HITRUST Common Security Framework (CSF)
• CSA STAR
• ISO-27001
• NIST SP-800-53 R4
• COSO
• COBIT
• PCI DSS
• ALTA

For these multi-standard reviews, AICPA’s SOC 2 Additional Subject Matter Assessment (SOC 2+) provisions allow Type 1 or Type 2 reports to be expanded to include additional subject matters and criteria to address areas that are not covered by SOC 2 but are required by the additional standards. Areas that are common to SOC 2 and the additional standard(s) being reviewed only need to be tested once in the Type 1 or Type 2 report, which can be a big time-saver for organizations and auditors.

What Are The Benefits of SOC 2+?

By combining the audit review and reporting for SOC 2+ with other standards, organizations can realize substantial benefits, including:

• Reduced burden of staff interviews. By identifying and grouping the requirements and interview topics that are common across multiple security and privacy standards, you can substantially reduce the frequency and duration of staff interviews. You can spread interviews out over time to avoid bombarding team members with multiple interview requests at once. You can also schedule interviews around peak periods when team members are involved in other key activities.
• Streamlined testing and certification. Common testing and certification requirements, test runs, and documentation can be grouped to streamline testing and documentation efforts and ultimately expedite the certification processes.
• Synchronized controls and documentation. You can synchronize common controls and documentation across the assessment teams and reports, which significantly reduces costs and staff time required.
• Streamlined reporting. By only preparing a single report to demonstrate compliance with multiple standards, you are able to reduce reporting costs and accelerate completion of reporting.
• Reduced audit fatigue. In addition to improving operational efficiencies and reducing costs, your staff will experience a significant reduction in audit fatigue.

Tevora’s Unified Assessment Program

Tevora has helped many of the world’s leading clients use a unified approach to achieve compliance with multiple security and privacy standards—including SOC 2 and SOC audit—as part of a single, synchronized project. We’ve developed a streamlined and efficient Unified Assessment Program methodology for doing this. We would be happy to work with you to leverage our experience and methodology to implement SOC 2+ in your organization.

Additional Resources

Below are additional resources that provide a deeper dive on the topics covered in this blog post:

• AICPA Description of SOC 2+
• Tevora Case Study: Unified Assessment Program
• Tevora SOC 2 Compliance Datasheet

We Can Help

While SOC 2 and SOC 2+ were created by an accounting organization, they include detailed security and privacy requirements. As a dedicated cybersecurity firm, Tevora’s team of experienced experts can help you meet all SOC 2 and SOC 2+ requirements—including the most technical and complex security and privacy requirements—and complete the process with a CPA signed attestation . If you have questions about SOC 2+ or would like help implementing it in your organization, just give us a call at (833) 292-1609 or email us at sales@tevora.com.

---

[1] A few of these standards (e.g., ISO 27001, PCI DSS, HITRUST) will still require separate audits to be certified as third parties or specific audit reports are involved.