Organizations from across all industries turn to third-party vendors to outsource a wide range of products and services. With that, it’s important to ensure that your organization is performing the right types of audits and assessments to evaluate your vendors. Reviewing vendor SOC reports is essential and will help with assessing various aspects of the vendors information security controls.
In some cases, a SOC 1 or SOC 2 report may be enough to properly assess your vendor. However, other times, you may want to consider utilizing a SOC 2+ report. Also called Enhanced SOC 2 Reports, SOC 2+ reports should be considered by organizations that are highly regulated or adhere to higher security standards.
What Is a SOC 2+ Report?
As the name may suggest, a SOC 2+ report expands upon the basic model of a SOC 2 report. It was created by the American Institute of Certified Public Accountants (AICPA) who collaborated with the Cloud Security Alliance (CSA) and HITRUST. Where a SOC 2 report covers the Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy), the SOC 2+ report covers the Trust Services Criteria in addition to other industry and compliance models.
This means that the SOC 2+ report is a more extensive version of the basic SOC 2 framework. Just as a SOC 2 report assesses the vendor’s controls, the SOC 2+ report also evaluates whether the controls follow specific compliance requirements. For example, healthcare organizations may want to consider requesting a SOC 2+ report that assesses for HIPAA compliance when dealing with a data storage provider to ensure that the vendor can protect patient information within HIPAA’s requirements.
The flexible and extensive nature of a SOC 2+ report has become more appealing for many organizations, especially for those in industries with an increased risk of compliance violations, such as the healthcare and financial services industries. And, as legislators continue to update regulations to preserve customer privacy and integrity, it has become more difficult for many organizations to ensure compliance across their vendors. Although still rarely seen, in some cases, SOC 2+ reports, may be the answer for both vendors and their customers to create a comprehensive documentation of their controls’ proficiency and provide the peace of mind that their controls comply with regulatory frameworks.
3 Benefits of a SOC 2+ Reports
While many organizations may feel that a SOC 2 report is sufficient, it’s important to understand the benefits of a SOC 2+ report as an extension of the basic SOC 2 framework. When determining if a SOC 2+ report is right for you, you should consider benefits such as:
- SOC 2+ reports increase efficiency. By compiling information into a singular document, as opposed to running separate audits to check for the vendor’s compliance in addition to a SOC report, a SOC 2+ report takes several tests into account, which can lead to decreased efforts and cost for the involved stakeholders.
- It still evaluates controls for Trust Services Criteria. Just as with the basic SOC 2 framework, SOC 2+ reports still assess factors such as the security of the vendor’s physical locations, their privacy policies, and their availability. All aspects of the report should be handled with the same care and eye for detail, meaning that the Trust Services Criteria will be evaluated in the SOC 2+ report just as much as compliance.
- Flexibility to match your needs. SOC 2+ reports can assess a wide range of compliance regulations and aren’t contained to only one industry. A SOC 2+ report could assess for HIPAA, HITRUST, COSO, NIST, and many more frameworks. These additional controls are tested to the same standard that the TSC are tested, providing confidence in assurance.
For vendors, as well, SOC 2+ reports offer the ease reporting a range of proficiencies and instilling confidence in their services by showcasing their compliance to their customers.
Overall, SOC 2+ reports build on the critical aspects of a SOC 2 report to both ensure that your vendor’s controls align with the Trust Services Criteria while also assessing for regulatory compliance. This can improve efficiency for both vendors and their customers which will save valuable time and recourses moving forward.
When it comes to assessing your vendors, you need to ensure that the proper controls are in place to protect your organization and that you can identify any risks before issues arise. Though it’s not necessarily a red flag if a vendor doesn’t have a SOC 2 +, these are growing in popularity in the industries most impacted by the challenge of compliance and updated regulations. For many industries, it’s time to start looking for these types of reviews and having conversations with your vendors about whether they will be pursuing more focused audits like the SOC 2+ to determine whether their controls adequately satisfy your industry’s regulatory requirements.