What is SOC 2 Plus? | SOC 2 Plus Expanded Frameworks

Insights

SOC 2 Plus: Expanding Your SOC Report with Additional Frameworks

Published on by Myles Wallace in SOC Reports

SOC 2 Plus: Expanding Your SOC Report with Additional Frameworks

As organizations face increasing pressure for stronger security assurance, the need to report across multiple compliance frameworks has never been greater. Leveraging the foundation created by SOC 2, SOC 2 Plus reporting offers a powerful way to meet this demand. Here’s what it is, why it matters, and how it can benefit your organization.

What is SOC 2 Plus?

At its core, SOC 2 Plus starts with the standard SOC 2 framework, which is built around the five Trust Services Criteria. The security criteria, also known as the common criteria, serve as the baseline. Additional criteria such as availability, confidentiality, processing integrity, or privacy can be layered in, depending on which best aligns with organizational needs, customer expectations, and investor priorities.

SOC 2 Plus also extends beyond the Trust Services Criteria, enabling integration of other security and compliance frameworks. Examples include:

  • ISO/IEC 27001
  • NIST SP 800-53
  • NIST CSF
  • HITRUST
  • HIPAA
  • GDPR
  • ISACA Blockchain Framework
  • CSA’s Cloud Control Matrix

SOC 2 Plus enables organizations to consolidate multiple compliance requirements into a single unified report.

Why add another security framework?

SOC 2 Plus is especially valuable when:

  • Customers or stakeholders require multiple frameworks 
    (e.g., when end users or partners in Europe request ISO certification). 
  • An organization already aligns internally with a framework and wants to demonstrate that alignment in a single SOC report.
  • The organization is scaling or expanding globally, where frameworks like ISO are more widely recognized. 

As companies expand globally and adopt additional security and compliance frameworks, SOC 2 Plus reports have become an increasingly common way to demonstrate broader assurance. 

How SOC 2 Plus works in practice

Additional frameworks typically appear within the SOC 2 report in several key sections: 

  • Section 3 – Narrative or disclosures within the system description. 
  • Section 4 – Controls that align with the additional framework. 
  • Section 5 – A crosswalk or mapping to show alignment between frameworks. 
  • Opinion section – References to the inclusion of mapped frameworks where applicable. 

Who does the mapping?

The division of responsibility for mapping and integration varies based on internal resources and goals. 

  • Some organizations prefer to handle most of the mapping internally to reduce costs. 
  • Others use a GRC platform that maps existing controls across multiple frameworks. 
  • Many rely on the Barnes Dennig SOC reporting team to lead the process, leveraging deep experience and expertise. 

Our approach helps clients build on existing strengths by mapping current controls to the SOC 2 Plus framework, identifying gaps, and guiding remediation efforts, so processes translate into meaningful, report-ready documentation. 

When to introduce SOC 2 Plus

Adding an additional framework doesn’t have to wait for the next SOC reporting cycle: 

  • Organizations already performing SOC 2 engagements can introduce ISO 27001 coverage mid-cycle if requested by a customer or end user. This typically requires an analysis of overlap and gaps between frameworks to align with ISO controls. 
  • For those starting fresh, the report can be designed from the outset to accommodate multiple frameworks. 

Some frameworks require additional consideration

Certain frameworks, such as HITRUST, require paid licenses and formal registration to map appropriately. The Barnes Dennig team works within those boundaries while maximizing flexibility to help you meet your goals and those of your customers. As we like to say (and mean it), we’re here to help. 

How to get started with SOC 2 Plus

If you’re considering SOC 2 Plus, a few key steps can set the process up for success: 

  • Start with customer requirements: When end users or partners ask for ISO, NIST, or other frameworks, that’s the right time to consider expansion. 
  • Engage early. The earlier experienced advisors are involved, the more efficient the process becomes. (Contact us today for a free consultation!) 
  • Rely on experience. The Barnes Dennig SOC reporting team can help you navigate best practices, optimize control documentation, and avoid redundant effort. 

Let’s talk SOC 2 Plus

As your organization grows and compliance demands increase, SOC 2 Plus provides a powerful and efficient way to address multiple frameworks within a single, coherent report. It streamlines effort, increases efficiency, enhances customer confidence, and reduces long-term costs.  

Interested in exploring how it could work for your business? Get in touch – as always, we’re here to help. 

Related content 

Our DIY SOC Reporting video series offers short clips that can help you streamline your SOC reporting process (note – you can’t fully perform a SOC audit on your own – it requires an independent CPA – but there’s a lot you can do to make the process more efficient and reduce costs).  

If you’re prepping for your first SOC report, see how a readiness assessment and gap analysis can help improve your outcome. Our SOC reporting pros have created an entire video series on SOC reporting to help you optimize and maximize (and don’t miss the blooper reel – in addition to their many other skills, our team is just fun to work with). 

Share This:

Contact Us

More Insights

Categories

More Insights

Apply Now