Why Add Additional SOC 2 Criteria?
SOC 2 | SOC | HITRUST | NIST SP 800-Series | CSA STAR
Think about those a la carte sushi restaurants—the very cool ones with the circulating conveyor belts that let you select different dishes as they suit your fancy.
Maybe your go-to is always California rolls, but you spot some delicious-looking Rainbow Rolls so you grab those one time. Or maybe you’re craving a Spicy Tuna roll, so you add that to your plate.
Even if sushi is not quite your taste, you’d probably agree that SOC 2 audits are even less appetizing. Aside from the actual, in-depth audit process, they also require you to make a lot of decisions first, and it’s just added stress.
That’s why you want to ensure that you take the audit path most helpful to you, and that includes the right criteria. SOC 2 functions a lot like that sushi conveyor belt—you have a lot of potential options.
And we don’t just mean the SOC 2 Trust Services Categories (TSCs) that you have to select from to form the basis of your examination. We mean adding what is technically known as additional “subject matter.”
For simplicity’s sake, we’ll just refer to it as “additional criteria.”
If you didn’t know it was possible to add more to your SOC 2 audit, don’t worry—we’re going to help you understand right now. Depending on your particular systems or needs, you do have options and we will outline those in this article.
By the end, you’ll have a better grasp of what we mean—more definitively—by additional criteria and what all your choices are. Not only that, but you’ll also have a sense of why organizations choose to go this route and whether it makes sense for you too.
What are the SOC 2 Criteria?
First, let’s establish your baseline. As we mentioned previously, your will build your SOC 2 upon Trust Service Criteria (TSC) that you choose. You can choose from categories of security, availability, processing integrity, confidentiality, and privacy.
At a minimum, you’ll have to incorporate the common criteria included in the Security category. Based upon the service commitments and system requirements you’ve provided to customers related to your scoped services or system, you can choose to add from the other four.
Similarly, it’s also completely up to you whether to add further additional criteria beyond those categories to your SOC 2.
What are the Additional Criteria You Can Add to Your SOC 2 Examination?
If you are interested in expanding your SOC 2, additional criteria are typically derived from the requirements of an IT control framework. Your auditor will assess you against those requirements alongside your SOC 2 criteria and you’ll receive the results in one report.
But what are these frameworks that you can use? While not an exhaustive list, we’ve outlined three options for additional criteria that you may consider adding to your SOC 2 report.
1. HITRUST Common Security Framework (HITRUST CSF)
- How It Can Help: Being assessed against the HITRUST CSF can provide assurance that you’re meeting the guidelines of the HIPAA laws and regulations regarding the transmission, processing, and storage of protected health information. Adding these criteria can showcase your commitments to the protection of electronic protected health information (ePHI) from a security, confidentiality, and privacy perspective.
- Who It Can Help: Organizations looking to host or process ePHI on behalf of a healthcare organization may want to provide both the results of a SOC 2 examination and a HITRUST examination to their customers.
2. Cloud Security Alliance Security, Trust, Assurance, and Risk Attestation (CSA STAR)
- How It Can Help: The AICPA collaborated with CSA to develop and provide guidelines for CPAs to conduct SOC 2 engagements using both the AICPA Trust Service Principles and the CSA Cloud Controls Matrix (CCM). The CSA STAR Attestation must be renewed on an annual basis, which often lines up with the selected period for a Type 2 SOC 2 report.
- Who It Can Help: If you’re using a cloud service provider (CSP) and want a better understanding of the maturity of their security programs, adding these additional criteria may provide additional assurance in that area.
3. NIST SP 800-53 Risk Management Framework
- How It Can Help: NIST SP 800-53 covers a series of control families and requirements that guide compliance with the Federal Information Security Management Act (FISMA). You can indicate the security level of the data stored on your system—low, moderate, or high—to further provide context for the controls in place to meet each SP 800-53 requirement.
- Who It Can Help: Adding the NIST SP 800-53 criteria to a SOC 2 report may be especially beneficial to those wishing to do business with federal government agencies or government contractors. Your adherence to these criteria—beyond that of a standalone SOC 2 report—would not only provide additional assurance to these agencies and contractors, but it would also give them a helpful understanding of the level of data security you have.
If you should choose to add one of these frameworks—or another option we have not outlined here—you should also know that the additional set of criteria will be tested and opined upon in the same manner as that within the SOC 2 examination.
Let’s say you engaged an auditor to perform a Type 2 SOC 2 audit on your system. Then, you decided to add additional criteria to the report regarding your adherence to the CSA CCM. Your auditor would test your scoped system or services against the CCM criteria for operating effectiveness over a period of time the same way they would test controls in the SOC 2 criteria.
Alternatively, in a Type 1 report, your auditor would only test the controls for the design and implementation of the controls at a specified point in time for both the SOC 2 criteria and the additional criteria.
Which Additional Criteria are Right for Your Organization?
The big question is whether any of this is right for you. Should you stick with a standard SOC 2 or not?
Here’s the easy answer. Like those requests from your customers for your SOC 2 results, their requests for other, specific assurances should also drive whether you do opt to add additional criteria. Are your customers requesting additional information regarding your cloud security program or your HIPAA compliance status?
If they are, or as they begin asking in the future, speak with your current SOC 2 service auditor about the possibilities regarding the inclusion of additional criteria in your report.
Why Should You Do a SOC 2+ Audit?
Appeasing and assuring your customers is a big enough reason to proceed in adding additional criteria to your SOC 2 examination.
But how else would it benefit you?
If you’re trying to cover all the needs of your customers, you can lighten the cumbersome load of planning out two audits during a year by taking advantage of the SOC 2+ additional criteria report.
- 2-in-1 Testing: Your auditor will still need to test against your chosen SOC 2 categories and whatever else you add. That means you’ll need to provide the evidence and a description of services for each set of criteria. But your auditor can do their testing simultaneously. They’ll then combine the results into a single attestation report covering the content of both sets of criteria.
- Less Internal Complications: One examination means only one auditor. That can help you avoid the chaos that can arise when you’re dealing with two or more separate service auditors.
- Potential Budget Relief: Plus, chances are that the overhead of extending the included requirements may be considerably less than seeking out a separate report to accomplish the same goal.
Moving Forward With Adding to Your SOC 2 Report
If you didn’t know before, now you understand that creating your SOC 2 examination can be a little like a fancy sushi conveyor belt. The options are there, and you can choose to select them or not based on whether they suit you (and your customers).
As you continue to shape your SOC journey, read our content that can help simplify some of those many decisions you have to make:
- How Much Does a SOC Audit Cost?
- Should You Get a SOC 3 or a SOC 2 Examination? Understand Your Options
- SOC 2 vs. ISO 27001: What are the Differences?
If you have questions on potential other frameworks that we didn’t mention, or if your organization has already implemented one that you’re interested in adding to your current SOC 2 report, please feel free to contact us. We’d love to help you determine if a SOC 2 + additional criteria report might be best for your organization and your customers’ needs.
About Craig Skinner
Craig Skinner is a Senior Associate with Schellman based in Atlanta, Georgia. Prior to joining Schellman in 2020, Craig worked as an IT auditor for a professional services firm specializing in SOX and financial statement audit support, as well as SOC reporting, for the insurance and financial services industries. Craig has over three years of experience comprised of clients in various industries, including healthcare services and managed service providers. Craig is now focused primarily on SOC reporting for organizations across various industries.