Alright, you’ve considered all the other compliance options, and for you right now, it’s SOC 2 or bust. That means it’s time to make like Michelangelo and start carving your David of an examination.
Now that we’ve established that, let’s make sure you don’t want to add anything to this examination.
Depending on your customer base and what kind of use case you’re looking for, it may benefit you to add another report or to tack on more criteria to the SOC 2 itself. In this section, we’ll address some options you have for add-ons, including:
- Should You Invest in a SOC 3 Too?
- Do You Need a SOC 2 + Additional Criteria?
Maybe the standalone SOC 2 is perfect for your organization, but maybe it would suit your needs and those of your customers better to include further documentation or frameworks.
1. Should You Invest in a SOC 3 Too?
We already went over how you can bridge a SOC 1 or even do one of those simultaneous to your SOC 2. But what about a SOC 3?
If you ask us, a SOC 3 can be considered the fraternal twin of SOC 2—there are a lot of similarities:
- They’re both conducted in accordance with the same, specific sections of the SSAE 18 standard.
- Both report on your controls relevant to the Trust Services Categories of security, availability, confidentiality, processing integrity, and/or privacy (which we’ll get into later).
Right now, you’re thinking, if they’re so alike, why on earth would I pay more money for two of the same thing? We’re glad you asked.
The big difference between a SOC 2 and SOC 3 is in their reports:
- Each contains different amounts of information.
- Each has a different allowance when it comes to who can read and rely upon each report.
A SOC 2 is going to contain everything including all the tests completed and a full description of your system, whereas your SOC 3 will leave out the testing and abbreviate the description.
But it’s that last point that’s key.
You’re here because you want to provide some assurances to your customers that you’re protecting their data. A SOC 2 will help with that—you can provide them this report to see for themselves all your independently validated security measures.
However, a SOC 2 is restricted use, meaning its audience must be specified within the deliverable. So that works for your customers, but not so much in generating further general interest in your services or product.
But in contrast to their twin SOC 2, SOC 3 reports are general use, meaning you can hand it to anyone on the street should you so choose. For that reason, many organizations out there consider them powerful marketing tools—sure, they don’t contain everything, but they still can provide a decent overview of your compliance posture to someone considering you for their business.
2. Do You Need a SOC 2 + Additional Criteria?
As you contemplate adding on a separate SOC 3, you also need to think about whether you want to add criteria to your actual SOC 2.
If you’re going to invest in an audit, you should include everything you need to satisfy your customers’ demands. When you’ve chosen SOC 2, you should know that you do have the option to add more than just the standard SOC criteria for evaluating your system or product against.
You don’t have to, of course, but combining things does present a few advantages, like 2-in-1 testing—rather than two separate testing instances during two audits—less internal complications, and potential budget savings.
All that probably sounds pretty good, though really, we only recommend including other frameworks within your SOC 2 if your customers are making requests—or may make it in the near future—about other compliance assurances they’d like to see from you.
But you can’t just add anything you want to your SOC 2. Generally, acceptable additional criteria are derived from an IT control framework. Here are some common ones it may suit you to go ahead and incorporate:
HIPAA Security Rule
Adding these criteria and achieving compliance here would assure interested parties that you’re meeting the guidelines of the HIPAA laws and regulations regarding the transmission, processing, and storage of protected health information.
If you’re looking to host or process ePHI on behalf of a healthcare organization, it may benefit you to provide both the results of a SOC 2 examination and a HIPAA examination to their customers.
HITRUST Common Security Framework (HITRUST CSF)
Adding these criteria and achieving compliance here would assure interested parties that you’re meeting the guidelines of HITRUST’s proprietary CSF that leverages nationally and internationally accepted security and privacy-related regulations.
If you’re looking to provide an introductory level of assurance related to the HITRUST CSF and are not required to undergo a HITRUST CSF certification, it may benefit you to provide both the results of a SOC 2 examination and a HITRUST examination to your customers.
However, in the interest of full disclosure, there is a distinct difference between SOC 2+HITRUST and HITRUST certification in and of itself, so you may want to examine the distinctions more closely in case full certification may suit you better.
There was a specific effort made to make this combination of SOC 2 Trust Service Criteria and the CSA Cloud Controls Matrix (CCM) possible.
If you’re using a cloud service provider (CSP) and want a better understanding of the maturity of their security programs, adding these additional criteria may provide additional assurance in that area.
NIST SP 800-53 Risk Management Framework
NIST SP 800-53 covers a series of control families and requirements that guide compliance with the Federal Information Security Management Act (FISMA). You can indicate the security level of the data stored on your system—low, moderate, or high—to further provide context for the controls in place to meet each SP 800-53 requirement.
This might be an especially beneficial direction to take for those wanting to do business with federal government agencies or government contractors. Your compliance with these criteria—which push further than that of just a SOC 2 report—would absolutely give them a helpful understanding of the level of data security you have.
These four frameworks are not the only options for inclusion you have regarding your SOC 2—they’re just the ones we get asked about most often. Each has its benefits, and you should know that if you do choose to add one in, that additional set of criteria will be tested and opined upon in the same manner as that within your SOC 2 examination.