A SOC 2 Plus report is a type of SOC 2 examination that provides additional assurance beyond the standard SOC 2 framework requirements. It provides an additional level assurance with standards like HIPAA, HITRUST CSF, PCI-DSS, or ISO 27001. It is essentially a SOC 2 report with added assurance for specific compliance needs. Given the complexity of this report type, Barnes Dennig has provided a list of frequently asked questions below.
SOC 2 Plus is an enhanced version of the standard SOC 2 report, which includes additional compliance frameworks or industry-specific criteria beyond the Trust Services Criteria (TSC) used in a standard SOC 2 report. These additions might include frameworks like HIPAA, HITRUST, NIST, or other regulatory and security standards.
A standard SOC 2 report is based on the Trust Services Criteria related to security, availability, processing integrity, confidentiality and privacy. SOC 2 plus takes that a step further and includes an additional framework into the report. This can include mapping the SOC 2 criteria to the additional framework(s) or including an additional control mapping that maps an organization’s controls to the additional framework.
Organizations that are asked to provide assurance around multiple frameworks. An organization with customers in the US and Europe may be asked for both SOC 2 and ISO 27001. The SOC 2 plus report provides the flexibility for the organization to include both frameworks in one report. Further, it simplifies the audit process for the organization by testing the controls once and then reporting across multiple frameworks resulting in one report that can be given to all customers.
SOC 2 Plus can integrate various regulatory and industry standards, such as:
The SOC 2 Plus process follows the standard SOC 2 evaluation but expands to assess compliance with the additional frameworks chosen by the organization. This involves:
