Title

SOC 2
Single Framework
Strategy
Integrating SOC 2 into a
Single Framework Strategy

1
 Christian White
President & Co-founder

Christian White leads risk3sixty’s Services, which include SOC 2, ISO 27001,
PCI DSS, Privacy, vCISO, Penetration Testing, and HITRUST services. Prior
to leading risk3sixty’s Services, Christian operated as both a practitioner
and service line leader, where he developed many of the current service
offerings and teams under these services. Christian graduated from United
States Military Academy at West Point and served in the U.S. Army as an
Airborne Ranger for more than six years. After completing his service, he
received his M.B.A from the Georgia Institute of Technology where he met
Christian Hyatt and began the risk3sixty journey in 2016.

Contents
Background�������������������������������������������������������������������������������������������������������� 3

Define the Needs of the Organization��������������������������������������������������������4-5

Understand the Current Cost Structure������������������������������������������������������6-7

Craft a SOC 2 Strategy���������������������������������������������������������������������������������8-12

Drive Change����������������������������������������������������������������������������������������������13-14

A Brief Recap��������������������������������������������������������������������������������������������������� 15

Case Studies�����������������������������������������������������������������������������������������������16-19

2
Background
Large and growing companies have to deal with many overlapping security,
compliance, and regulatory frameworks and certification schemes to
support the complex security and compliance needs of the organization,
its stakeholders, and its customers. Often, among these business-enabling
requirements is a need for an organization to obtain a SOC 2 report.

The SOC 2 report is one of the most popular and widely accepted third-
party assurance reports in the United States as well as being recognized
globally. SOC 2 provides companies with a way to demonstrate that they
have a mature security program in place by having their program examined
by a Certified Public Accounting (CPA) firm, which issues a SOC 2 report,
including audit opinion, over the design and operating effectiveness of
the program over time.

Since SOC 2 is a reporting framework where the criteria are defined, but
not the controls, there is an opportunity for companies seeking to build
a SOC 2 program (or re-engineer their SOC 2 program) to integrate SOC
2 into an existing security framework(s) and operate a more streamlined
security and compliance program.

Such an approach can help companies to 1) avoid a continuous whack-a-

mole audit season, where multiple recurring audits slow the organization
down and need for audit support throughout the year, 2) avoid increasing
program costs, and 3) avoid diverting focus (e.g., engineering) from the
business’s core objectives.

In the following four steps and case studies, we will explore how to reduce
audit burden, contain costs, and manage complexity by integrating SOC
2 into a single framework strategy and streamlining assessment work to
enable a ‘do once, report many’ approach:

• Define the needs of the organization (today & in the future)

• Understand the Current Cost Structure
• Craft a SOC 2 Strategy
• Drive Change

SOC 2 provides companies with a way to demonstrate

that they have a mature security program in place.

3
 Step 1
Define the
Needs of the
Organization
Today & In The Future

4
STEP 1
Define the Needs of
the Organization
Today & In The Future

The first step in integrating SOC 2 into a single framework strategy is to

understand the context and needs of the organization today and where
it is headed. If the organization has largely served domestic clients but is
poised to expand internationally, this is an important context to consider.
If each business unit is subjected to various compliance requirements
but inherits shared services from the parent organization, this is also an
important context to consider in shaping strategy.

While the current compliance environment may be well known, documented,

and understood, speaking with product owners, risk managers, and the
revenue organization is a good way to get ahead of future needs. What are
customers asking for? What conversations are being had during the sales
cycle? Is there something the market expects of us that we need to do?
Where do we see risk across the organization?

The intended outcome of this step is a clear, documented understanding

of the organization’s security and compliance needs today and in the
near future. For example, if the business’ security compliance program is
currently built off ISO 27001, and that is the intended single framework,
then we know that building a good ISO 27001-based SOC 2 control set will
fit nicely with what the organization is already doing without adding much
additional burden on program management.

5
 Step 2
Understand the
Current Cost
Structure
Once the current and future context
of the organization is known and
documented, the next step is
understanding the overall security
compliance costs to the business.

Our downloadable ROI calculator

may help define this:

ROI Calculator

6
STEP 2

Understand the
Current Cost Structure
Why is this important? To drive positive organizational change, such as
integrating SOC 2 into a single framework strategy, it is important to be able
to present the business case to executives and articulate how the desired
strategy will benefit the business. Costs to consider in your analysis may
include the following:

Personnel costs: How many personnel are mostly (>50% of their time)
devoted to building and maintaining the security compliance programs of
the organization?

Audit Support costs: How many people-hours (e.g., engineering time) is

needed to support each audit? Find out how this spans multiple audits
across business units. What would be the impact on the internal team if
we reduced one audit per year by combining multiple audits into one work
stream?

Program Assessment Fees: These are fees paid to assessor organizations,

such as a CPA Firm for a SOC 2 examination or to a security advisory firm
for a penetration test. Are there opportunities to reduce fees by engaging
a single vendor who may provide multiple services and multi-service
discounts (e.g., internal audit, SOC 2, penetration testing)?

Training costs: How much does it cost to maintain my team’s certifications

or send them to training?

Turnover Costs: What is our average annual turnover in this department?

Can HR provide me with a turnover cost estimate based on our annual
turnover rate?

Tools and technology: What is our annual spend on tools and technologies
to support our security compliance program? Are we spending on a GRC
tool or multiple tools? Does our auditor have a GRC tool complementary
to their services?

Consulting Fees: How much are we spending in annual consulting fees for
areas in which we have trouble hiring or do not need a full-time employee?

7
 Step 3
Craft a SOC 2
Strategy

With the context of the organization

and the costs considered, it is time
to decide how best to integrate
SOC 2 into the organization’s
strategy. It is recommended that
these decisions not be made in a
silo but in coordination with all the
relevant stakeholders who need
to be on board. This will increase
the likelihood of the strategy being
well-received and implemented
successfully.

8
STEP 3 - A
Define SOC 2 Scope
Doctrinally, an organization obtains a SOC 2 report over its defined
information system. For SOC 2 purposes, an information system comprises
the architecture, software, data, people, and processes. This may be
defined as the entire company, including all products, a division of the
company, or simply a business unit. Each organization may define and title
its information system (for the scope of its SOC 2 program) to best meet the
business’ intent for obtaining the SOC 2 report.

In some instances, an organization may choose to have multiple SOC 2

reports, driven by customer expectations that each product has its own
respective report. In other cases, organizations will roll-up products under
one report due to similarities among products or for the sake of efficiency.

Here are a few thoughts and options to consider when determining how to
combine or separate SOC 2 scopes:

How does this decision impact business strategy or marketing efforts?

Option 1: Reduce effort and burden by combining scope under a single

SOC 2 report. Why? Streamline efforts and timelines and reduce
costs.

Option 2: Obtain a SOC 2 over the company’s shared services and have
separate reports for each product. Why? Test shared services
once and inherit for other reports; products are different enough
that it is better to keep scopes distinct for each report to enable
sales and marketing better.

Option 3: Keep all reports separate and specific to business units and
products. Why? The company has grown by M&A, and each entity
has its unique scope with little in the way of shared services at
the corporate level.

9
STEP 3 - B
Integrate Each Scope
into Existing Program(s)
If your organization already has a baseline security compliance program,
work with your audit partner to design a SOC 2 control set that considers as
much of your current program and framework(s) as possible. For example,
if your organization has built its program on the HITRUST CSF, you can
utilize that framework as the baseline of your SOC 2 control set and only
add additional bespoke SOC 2 controls, as needed, in order to meet each
of the SOC 2 criteria relevant for your intended scope. The idea is to try to
leverage the overlap and reduce the complexity as much as possible.

ISO 27001 + SOC 2

Single Framework Strategy Traditional Approach

SOC 2 ISO 27001 SOC 2 ISO 27001

As a reminder, there are five Trust Service Categories (TSCs) in SOC 2, with
security being the baseline ‘Common Criteria’ that are common to all SOC
2 reports and the other optional TSCs being Availability, Confidentiality,
Processing Integrity, and Privacy. If you just need your SOC 2 program to
cover Security, then pending the breadth of your ISO 27001 scope, you may
only need to design a few additional controls to meet the SOC 2 criteria. We
call this process of defining the organization’s bespoke SOC 2 control set to
meet the static SOC 2 criteria ‘Design of Controls,’ and it is a very important
step in building a streamlined program that serves the organization.

In more complex scenarios where multiple frameworks are in place with

multiple distinct scopes and organizational nuance, we recommend white
boarding a strategy to help visualize the intended structure you want to
achieve. At risk3sixty, we call this process ‘building the single pane of glass’
or ‘common operating picture.’

10
STEP 3 - C
Streamline, Combine,
Reduce
Once you have informed and customized your SOC 2 control set, considering
existing programs, the next step is to see how and where you can streamline
work efforts, combine work activities, and reduce audit burden and fatigue.

Efforts can be streamlined by assigning controls to control owners and

using a single framework strategy to have a reduced number of controls to
assign in the first place. As an example, instead of 300 controls (requirement
statements) for HITRUST, another 80 controls for SOC 2, and another 114
controls for ISO, tracked across multiple platforms, a single framework
strategy allows for a single set of controls. This results in a reduction in
redundancies resulting in controls only being assigned once, not multiple
times to account for each individual framework. In the example above, that
means reducing 494 controls to roughly 325.

Efforts can be combined and reduced by synchronizing audit timelines

or moving audit timelines to overlap one another. For example, if your
organization has a PCI DSS audit and a SOC 2 examination over the same
scope, combining those efforts together into a single audit by the same
audit firm that is both a CPA firm and a PCI QSA firm, will reduce the number
of hours your team has to spend on the receiving side of an audit (including
reducing the number of walk-throughs and evidence requests) and reduce
the recurrence of audit activity throughout the year. At risk3sixty, we make
a great effort to enable this for our clients, enabled through Phalanx GRC,
because we believe it is important - for firms not using risk3sixty for services,
the assumption here is that the audit firm you may be using is set up and
able to support this type of strategy.

How much internal and external savings may be realized by reducing

an extra audit by doing two at once? As mentioned in the introduction,
since most security and compliance frameworks have a large number of
overlapping requirements, utilizing a single framework strategy to reduce
the complexity of the audit and doing the audit once vs. multiple times can
add a lot of value back to the organization.

11
STEP 3 - D
When Possible,
Automate Evidence
Generation & Collection
While a SOC 2 program cannot be automated, despite what some GRC
tool marketing departments may otherwise say, there are definitely
opportunities to automate the generation and collection of audit evidence
and to utilize tools to supplement those persons managing the program.

For example, log retention settings, AWS Guard Duty configurations, and
AWS Security Groups can all be pulled into modern GRC tools, like Phalanx
GRC, without the need to ask for it continually; Risk Assessments and
management of risks over time can be done in-app; user access listings can
automatically be pulled from the major Cloud Service Providers, reducing
the need to reach out to engineering to gather those audit artifacts
periodically. There are great opportunities for reducing the internal burden
of compliance!

12
Step 4
Drive Change
With the context of the organization
and the costs considered, it is time
to decide how best to integrate
SOC 2 into the organization’s
strategy. It is recommended that
these decisions not be made in a
silo but in coordination with all the
relevant stakeholders who need
to be on board. This will increase
the likelihood of the strategy being
well-received and implemented
successfully.

13
 STEP 4
Drive Change
You have a good understanding of the organization and its context. You have
calculated the costs associated with managing multiple security compliance
programs. You’ve put the time in to think through a logical strategy to carry
the business forward while streamlining efforts and integrating SOC 2 into
existing work streams. You have ideas on how things need to change. What
are the next steps? How do you present the ideas, build consensus and get
traction on driving these positive changes?

There are three things that will underpin and support your efforts:

1. Build the business case – we have a downloadable example: Busi-

ness Case Template. In this brief slide deck, you can distill the essence
of why your initiative makes sense and is valuable to the business. If
you can succinctly communicate to other executives in these terms, the
decision point becomes very clear.
2. Calculate the ROI of your strategy – you already know what current/
projected costs are – what are the cost-savings of your new plan? This
supports the Business Case for the initiative and helps to set up a very
positive decision.
3. Building consensus internally is key to driving positive change –
when this is done well, the decision maker has received some context
and preview of what is to be presented. When this is done well, peers
are informed and consulted, supporting this initiative before it is for-
mally presented or submitted for approval.

a. Who are your internal champions to help you drive this initiative?
b. Who are your other advocates who need to be consulted and
informed?
c. Who will be signing off on this initiative? Can you foreshadow
what you will present?

Bonus: Increase Communication – organizational change is difficult, and

increased communication keeps everyone on the same sheet of music! It is
difficult to over communicate.

14
A BRIEF RECAP
In summary, addressing multiple security, regulatory, and compliance
requirements from customers, prospects, governments, markets, etc., can
be daunting and overwhelming, but there are opportunities for efficiency.
When thinking about how best to integrate or reintegrate SOC 2 into the
business’ overall security compliance program, remember the following
points for consideration:

Step 1 Step 2
Define the Understand the
Needs of the Current Cost
Organization Structure

Step 3 Step 4
Craft a SOC 2 Drive Change
Strategy
a. Define SOC 2 Scope a. The Business Case
b. Integrate Each Scope into b. ROI Calculator
Existing Program(s)
c. Build Champions
c. Streamline, Combine,
d. Communicate
Reduce
d. Automate Evidence
Generation & Collection

15
 Case
Studies
“ACME Company”
Fast Growing B2B Company
Navigating Global Expansion

“Bravo Company”
Large B2B SaaS Company in the
Health IT Space

16
CASE STUDY
ACME Company
Acme Co. is a fast-growing B2B company navigating global expansion.
Four business units are already subject to ISO 27001 Certification
and are now asked to become SOC 2 and GDPR compliant within the
organization within 15 months.

Historically, Acme Co. has had a single Information Security Management

System (ISMS) with strong governance as part of its ISO 27001 efforts.
The company provides many shared services to the business units,
including HR, Legal, Finance, IT, and Operations Security.

When Acme Co. considered adding SOC 2 into their existing

security compliance program, they were primarily concerned
with the following:

1. Concerned about the need to increase the number of compli-

ance analysts to support
2. Felt that adding an additional audit would be disruptive to the
engineering team and detract from the company’s focus.
3. Historically, the company was not focused on Privacy but was
being asked to be GDPR compliant

17
 CASE STUDY
ACME Company Approach
After working through the steps outlined in this whitepaper, Acme Co.
integrated SOC 2 for shared services and each business unit into their
existing ISO 27001 efforts. Working with risk3sixty, they created an ISO
27001-based SOC 2 control set, which reduced the net-new controls to only
those necessary for SOC 2 and not already covered by ISO 27001. Because
they wanted to go to market with distinct products, they obtained four SOC
2 reports, one for each product.

Additionally, since risk3sixty was able to help with Acme Co’s ISO 27001
Internal Audit and combine those efforts and timeline with the SOC 2
examination into a single audit experience, there was no ‘additional audit,’
rather just an expanded audit over net new controls, which addressed
leadership’s second concern.

The net of this approach was no need to hire additional compliance analysts
as the increased internal burden needed to be more significant to warrant
that.

To help address GDPR concerns, Acme Co. added the Privacy TSC to
Security in their SOC 2, adding some new privacy controls to scope to give
the company an approach to GDPR. Additionally, in Section V of the SOC 2
report, Acme Co. decided to include a mapping of their Privacy Controls to
GDPR, giving them a practical means of demonstrating and communicating
how they were complying with GDPR. Acme Co. plans to add ISO 27701
(Privacy Information Management System) to the scope of their ISO 27001
audit, further helping them mature their privacy program and third-party
assurance.

Since the ISO 27001 and SOC 2 efforts were combined for this year, Acme
Co. was very quickly able to obtain a SOC 2 Type 1 report and is on track to
have their SOC 2 Type 2 within their desired time frame.

18
CASE STUDY
Bravo Company
Bravo Company is a large B2B SaaS company in the Health IT space. The
company has two business units, both handling ePHI and subject to HIPAA
Compliance. The company has a current HITRUST certification, having
completed its first HITRUST i1 validated assessment last year.

The company has identified a new vertical for its SaaS offerings outside the
Health IT space and is now being asked to become SOC 2 compliant within
the next 12 months.
Leadership expressed concerns about adding an additional audit to an
already busy schedule. While increased costs were discussed as a factor, the
biggest real cost to the firm is in heat loss to the team from multiple audit
cycles and everything that comes with that: walk-throughs, observations, and
evidence collection. Despite their concerns, leadership has communicated
a commitment to doing SOC 2, as this will help them be competitive in this
new vertical.

Bravo Company Approach

After working through the steps outlined in this whitepaper, Bravo Company
decided to integrate SOC 2 into the existing HITRUST program. Since risk3sixty
is both a CPA Firm and an Authorized HITRUST External Assessor, risk3sixty
worked with Bravo Company to leverage the HITRUST CSF framework to be
the basis for the SOC 2 control set and combine both audits under a single,
streamlined assessment project.

The net result was that a single, combined HITRUST/SOC 2 audit from
risk3sixty resulted in a SOC 2 report being issued by risk3sixty and a HITRUST
audit certification being issued by HITRUST (upon QA review of risk3sixty’s
assessment work). This saved Bravo Company many additional person-
hours and kept their external audits to one per year. As a result of this
strategy, the company could focus more of its energy on expanding into the
new vertical instead of conducting a second annual audit.

19
 Let’s Get Started
Programs That Leave No Doubt
risk3sixty is a nationally recognized security,
privacy, and compliance advisory firm serving firms
across the United States and Globally.

We strive to be “craftsmen” in our space and as

a result we offer our clients an uncommon level
service demonstrably unchallenged in our industry.

By the Numbers
✓ 100% certification and compliance
Clients across the United States and
17 countries

✓ Certified Security Experts such as

CISSP,CISA, CISM, GPEN, CEH, CRISC,
PCI QSA,ISO 27001 Lead Auditors, and
much more

✓ Certified Privacy Experts such as CIPP/

US, CIPM, IAPP Privacy Fellows, ISO
27701 Lead Auditors, and more

Our Promise of Quality

“We pride ourselves on our ability to provide
outstanding service, meeting our clients’ deadlines,
and exceeding expectations. The bottom line is
that if you aren’t satisfied with the quality of our
services, we’ll make it right. Period.”

Speak with an Expert

(404) 692-1324

20