SOC 2 - The Ultimate Aggregator?
Although AICPA's U.S. SOC 2* standard has been in place for many years and is well known to the large company, in recent years, it has been required by small Canadian companies to have this type of compliance report. As soon as a small company does business with large U.S. or European companies, very often, a SOC 2 compliance report is required. In addition, there is also a trend in Canada, as we see several larger Canadian companies demanding a SOC 2 report even though this standard is basically American.
Often, at the same time, Canadian small businesses are required by their clients or future clients to comply with other compliance frameworks such as GDPR, HITRUST**, ISO 27001, NIST, CSA***, etc.
It is a substantial effort for a small company trying to respect several different frameworks. Documenting and implementing all new processes and controls is already cumbersome enough without having to comply with several compliance standards each year.
It is crucial to indicate that SOC 2 standard is not a framework for controls, but instead, we could define it as a methodology. A company must put in place controls to meet the SOC 2 criteria (Trust Services Criteria). The controls in question can be sourced from different frameworks such as ISO 27001, NIST, CSA or HITRUST. In addition, many of the controls put in place can be used to comply with the GDPR regulation.
Therefore, we can say that SOC 2 is the standard aggregator par excellence. In addition, some control frameworks such as HITRUST and the Cloud Security Alliance (CSA) have agreements with AICPA to integrate their frameworks into a SOC 2 report. The client's control environment will be prepared in relation to the selected framework (HITRUST or CSA). The auditor's opinion included in the SOC 2 report will take into account that the SOC 2 report complies with the SOC 2 rules as well as another framework of controls.
The fact that SOC 2 is the aggregator par excellence gives it an advantage that is still unknown. Why would a small company have to comply with several compliance standards, if with a SOC 2 report, it can meet the vast majority of required standards? It saves time and money.
Without going into too much detail, SOC 2 has a common core for the Security principle (Common Criteria) and has developed criteria for the Availability, Confidentiality, Processing Integrity and Privacy principles. The impact of aggregating several control frameworks in a SOC 2 report will, for the most part, the consequence that more controls and documentation will be necessary. For example, to incorporate the HITRUST control framework into a SOC 2 report will result in a control framework that will have around 100 controls. In addition, the Security, Privacy, Availability and Privacy SOC 2 principles will be required.
While aggregating more control frameworks in a SOC 2 report may seem cumbersome, it is nothing compared to having to follow two or three different control frameworks, both from an effort point of view and from a cost point of view.
For companies that already have a SOC 2 report whose clients require them to comply with other control frameworks, there is nothing to prevent additional controls in the company's SOC 2 report. Probably, it will be necessary to insert new SOC 2 (Trust Services Criteria) criteria in order to comply with the added control frameworks.
In my practice, I see more and more small companies forced to respond to several compliance frameworks, especially the coming of the General Data Protection Regulation (GDPR) are creating new challenges for these companies. A control framework like HITRUST is little known in Canada, mainly because the vast majority of medical firms are public. But some Canadian private companies are forced to meet HITRUST's requirements. SOC 2 responds significantly to the challenges faced by small Canadian businesses when multiple compliance standards are required.
* Service Organization Control (SOC 2)
** Control framework dedicated to the medical industry (HITRUST)
*** Cloud Security Alliance (CSA)