September 22, 2017

SOC 2 + Additional Subject Matter (SOC2 Plus)

The AICPA recently made efforts to expand the use of SOC 2 in two significant ways – additional reporting Criteria and alignment with other significant and at times, required, IT Security regulations. This expansion increases the utility of a SOC 2 report and overall compliance costs and efforts of Businesses small, medium, and large.

The Additional Subject Matter increase the flexibility of the SOC 2 report to include coverage of significant concerns of business partners when outsourcing certain activities given the current, expanding compliance landscape. Below is a table highlighting these changes:

What Is the Additional Subject Matter? What Are the Additional Criteria? Example of the Engagement
1. Description of the physical characteristics of a service organization’s facilities Completeness

Accuracy

Criteria specified by an outside party

Reporting on a detailed description of the physical characteristics of a service organization’s facilities (for example, square footage) in addition to reporting on controls at the service organization relevant to the security of the system based on the trust services criteria for security
2. Historical data related to the availability of computing resources Completeness

Accuracy

Reporting on historical data regarding the availability of computing resources at a service organization in addition to reporting on controls at the service organization relevant to the availability of the system based on the trust services criteria for availability
3. Compliance with a statement of privacy practices Statement of privacy practices Reporting on a service organization’s compliance with a statement of privacy practices in addition to reporting on controls at the service organization relevant to the privacy of the system based on the trust services criteria for privacy
4. N/A Requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification 45 CFR Sections 164.308-316 Reporting on privacy at a service organization based on regulatory requirements (for example, the security requirements under HIPAA), in addition to reporting on controls at the service organization relevant to the privacy of the system based on the trust services criteria for privacy
5. N/A Criteria established by an industry group (such as the Cloud Security Alliance’s Cloud Control Matrix) Reporting on security at a service organization based on criteria established by an industry group (such as the Cloud Security Alliance’s Cloud Control Matrix), in addition to reporting on controls at a service organization relevant to the security of a system based on the trust services criteria for security

– note this table information obtained from the AICPA website

Below are some use cases where these additions could come in handy:

  • Description of the physical characteristics of a service organization’s facilities
    • Specific sizes of rooms and spaces, or other contracted terms as it relates to a physical attribute claimed by the company to clients (data center cage size, storage/shelf space, processing floor, etc).
  • Historical data related to the availability of computing resources
    • Adherence to SLA requirements at various levels (overall system availability, by client, retention duration (1 month, 6 months, 7 years), etc.).
  • Compliance with a statement of privacy practices
    • Beyond testing the general privacy criteria, some clients may require further coverage based on industry requirements, including third party review of a business’ compliance with their statement of privacy practices.
  • Requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification 45 CFR Sections 164.308-316
    • Beyond testing the general privacy criteria, some clients may require further coverage based on industry requirements, including third party review of a business’ compliance with the HIPAA 45 CFR 164.308-316 requirements.
  • Criteria established by an industry group
    • There is significant overlap with many companies who require a SOC 2 and some combination of the other major standards, including, but not limited to:
      • HITRUST Common Security Framework (CSF)
      • CSA Security Trust & Assurance Registry (CSA-STAR)
      • ISO-27001
      • NIST SP-800-53 R4
      • COSO
      • COBIT

The standards listed above have formal mappings in place with SOC 2 and available from the AICPA.

These changes have the potential to reduce overall compliance costs and efforts. Headaches like multiple rounds of testing per year, contracting of multiple firms to perform different audits, additional tracking of controls, and other nuances that come with multiple compliance efforts can be greatly reduced and addressed in one report (depending on your Customer’s requirements).

The one thing to keep in mind is that with the inclusion of these additional subject matter and criteria from outside standards, if they are to be included within the SOC 2 report, the controls are required to be tested with the same level of detail and sampling methodology as the AT101/SOC 2 standard calls for. This means, if the audit is required to cover compliance with a statement of privacy practices there is no spot checking in the SOC 2 Type II – it would be full sample testing with the potential to span across all patients depending upon the requirement and having the support available to back it up.

If you’re ready to find out more about how to enhance your current SOC 2 or need help starting you’re first and want to ask a few questions to an expert, please reach out to Find a SOC 2 Provider  via the link provided or contact form below to speak with a qualified professional.

Comments are closed.