Professional Documents
Culture Documents
SOC 2
Single Framework
Strategy
Integrating SOC 2 into a
Single Framework Strategy
1
Christian White
President & Co-founder
Christian White leads risk3sixty’s Services, which include SOC 2, ISO 27001,
PCI DSS, Privacy, vCISO, Penetration Testing, and HITRUST services. Prior
to leading risk3sixty’s Services, Christian operated as both a practitioner
and service line leader, where he developed many of the current service
offerings and teams under these services. Christian graduated from United
States Military Academy at West Point and served in the U.S. Army as an
Airborne Ranger for more than six years. After completing his service, he
received his M.B.A from the Georgia Institute of Technology where he met
Christian Hyatt and began the risk3sixty journey in 2016.
Contents
Background�������������������������������������������������������������������������������������������������������� 3
Drive Change����������������������������������������������������������������������������������������������13-14
A Brief Recap��������������������������������������������������������������������������������������������������� 15
Case Studies�����������������������������������������������������������������������������������������������16-19
2
Background
Large and growing companies have to deal with many overlapping security,
compliance, and regulatory frameworks and certification schemes to
support the complex security and compliance needs of the organization,
its stakeholders, and its customers. Often, among these business-enabling
requirements is a need for an organization to obtain a SOC 2 report.
The SOC 2 report is one of the most popular and widely accepted third-
party assurance reports in the United States as well as being recognized
globally. SOC 2 provides companies with a way to demonstrate that they
have a mature security program in place by having their program examined
by a Certified Public Accounting (CPA) firm, which issues a SOC 2 report,
including audit opinion, over the design and operating effectiveness of
the program over time.
Since SOC 2 is a reporting framework where the criteria are defined, but
not the controls, there is an opportunity for companies seeking to build
a SOC 2 program (or re-engineer their SOC 2 program) to integrate SOC
2 into an existing security framework(s) and operate a more streamlined
security and compliance program.
In the following four steps and case studies, we will explore how to reduce
audit burden, contain costs, and manage complexity by integrating SOC
2 into a single framework strategy and streamlining assessment work to
enable a ‘do once, report many’ approach:
3
Step 1
Define the
Needs of the
Organization
Today & In The Future
4
STEP 1
Define the Needs of
the Organization
Today & In The Future
5
Step 2
Understand the
Current Cost
Structure
Once the current and future context
of the organization is known and
documented, the next step is
understanding the overall security
compliance costs to the business.
ROI Calculator
6
STEP 2
Understand the
Current Cost Structure
Why is this important? To drive positive organizational change, such as
integrating SOC 2 into a single framework strategy, it is important to be able
to present the business case to executives and articulate how the desired
strategy will benefit the business. Costs to consider in your analysis may
include the following:
Personnel costs: How many personnel are mostly (>50% of their time)
devoted to building and maintaining the security compliance programs of
the organization?
Tools and technology: What is our annual spend on tools and technologies
to support our security compliance program? Are we spending on a GRC
tool or multiple tools? Does our auditor have a GRC tool complementary
to their services?
Consulting Fees: How much are we spending in annual consulting fees for
areas in which we have trouble hiring or do not need a full-time employee?
7
Step 3
Craft a SOC 2
Strategy
8
STEP 3 - A
Define SOC 2 Scope
Doctrinally, an organization obtains a SOC 2 report over its defined
information system. For SOC 2 purposes, an information system comprises
the architecture, software, data, people, and processes. This may be
defined as the entire company, including all products, a division of the
company, or simply a business unit. Each organization may define and title
its information system (for the scope of its SOC 2 program) to best meet the
business’ intent for obtaining the SOC 2 report.
Here are a few thoughts and options to consider when determining how to
combine or separate SOC 2 scopes:
Option 2: Obtain a SOC 2 over the company’s shared services and have
separate reports for each product. Why? Test shared services
once and inherit for other reports; products are different enough
that it is better to keep scopes distinct for each report to enable
sales and marketing better.
Option 3: Keep all reports separate and specific to business units and
products. Why? The company has grown by M&A, and each entity
has its unique scope with little in the way of shared services at
the corporate level.
9
STEP 3 - B
Integrate Each Scope
into Existing Program(s)
If your organization already has a baseline security compliance program,
work with your audit partner to design a SOC 2 control set that considers as
much of your current program and framework(s) as possible. For example,
if your organization has built its program on the HITRUST CSF, you can
utilize that framework as the baseline of your SOC 2 control set and only
add additional bespoke SOC 2 controls, as needed, in order to meet each
of the SOC 2 criteria relevant for your intended scope. The idea is to try to
leverage the overlap and reduce the complexity as much as possible.
As a reminder, there are five Trust Service Categories (TSCs) in SOC 2, with
security being the baseline ‘Common Criteria’ that are common to all SOC
2 reports and the other optional TSCs being Availability, Confidentiality,
Processing Integrity, and Privacy. If you just need your SOC 2 program to
cover Security, then pending the breadth of your ISO 27001 scope, you may
only need to design a few additional controls to meet the SOC 2 criteria. We
call this process of defining the organization’s bespoke SOC 2 control set to
meet the static SOC 2 criteria ‘Design of Controls,’ and it is a very important
step in building a streamlined program that serves the organization.
10
STEP 3 - C
Streamline, Combine,
Reduce
Once you have informed and customized your SOC 2 control set, considering
existing programs, the next step is to see how and where you can streamline
work efforts, combine work activities, and reduce audit burden and fatigue.
11
STEP 3 - D
When Possible,
Automate Evidence
Generation & Collection
While a SOC 2 program cannot be automated, despite what some GRC
tool marketing departments may otherwise say, there are definitely
opportunities to automate the generation and collection of audit evidence
and to utilize tools to supplement those persons managing the program.
For example, log retention settings, AWS Guard Duty configurations, and
AWS Security Groups can all be pulled into modern GRC tools, like Phalanx
GRC, without the need to ask for it continually; Risk Assessments and
management of risks over time can be done in-app; user access listings can
automatically be pulled from the major Cloud Service Providers, reducing
the need to reach out to engineering to gather those audit artifacts
periodically. There are great opportunities for reducing the internal burden
of compliance!
12
Step 4
Drive Change
With the context of the organization
and the costs considered, it is time
to decide how best to integrate
SOC 2 into the organization’s
strategy. It is recommended that
these decisions not be made in a
silo but in coordination with all the
relevant stakeholders who need
to be on board. This will increase
the likelihood of the strategy being
well-received and implemented
successfully.
13
STEP 4
Drive Change
You have a good understanding of the organization and its context. You have
calculated the costs associated with managing multiple security compliance
programs. You’ve put the time in to think through a logical strategy to carry
the business forward while streamlining efforts and integrating SOC 2 into
existing work streams. You have ideas on how things need to change. What
are the next steps? How do you present the ideas, build consensus and get
traction on driving these positive changes?
There are three things that will underpin and support your efforts:
a. Who are your internal champions to help you drive this initiative?
b. Who are your other advocates who need to be consulted and
informed?
c. Who will be signing off on this initiative? Can you foreshadow
what you will present?
14
A BRIEF RECAP
In summary, addressing multiple security, regulatory, and compliance
requirements from customers, prospects, governments, markets, etc., can
be daunting and overwhelming, but there are opportunities for efficiency.
When thinking about how best to integrate or reintegrate SOC 2 into the
business’ overall security compliance program, remember the following
points for consideration:
Step 1 Step 2
Define the Understand the
Needs of the Current Cost
Organization Structure
Step 3 Step 4
Craft a SOC 2 Drive Change
Strategy
a. Define SOC 2 Scope a. The Business Case
b. Integrate Each Scope into b. ROI Calculator
Existing Program(s)
c. Build Champions
c. Streamline, Combine,
d. Communicate
Reduce
d. Automate Evidence
Generation & Collection
15
Case
Studies
“ACME Company”
Fast Growing B2B Company
Navigating Global Expansion
“Bravo Company”
Large B2B SaaS Company in the
Health IT Space
16
CASE STUDY
ACME Company
Acme Co. is a fast-growing B2B company navigating global expansion.
Four business units are already subject to ISO 27001 Certification
and are now asked to become SOC 2 and GDPR compliant within the
organization within 15 months.
17
CASE STUDY
ACME Company Approach
After working through the steps outlined in this whitepaper, Acme Co.
integrated SOC 2 for shared services and each business unit into their
existing ISO 27001 efforts. Working with risk3sixty, they created an ISO
27001-based SOC 2 control set, which reduced the net-new controls to only
those necessary for SOC 2 and not already covered by ISO 27001. Because
they wanted to go to market with distinct products, they obtained four SOC
2 reports, one for each product.
Additionally, since risk3sixty was able to help with Acme Co’s ISO 27001
Internal Audit and combine those efforts and timeline with the SOC 2
examination into a single audit experience, there was no ‘additional audit,’
rather just an expanded audit over net new controls, which addressed
leadership’s second concern.
The net of this approach was no need to hire additional compliance analysts
as the increased internal burden needed to be more significant to warrant
that.
To help address GDPR concerns, Acme Co. added the Privacy TSC to
Security in their SOC 2, adding some new privacy controls to scope to give
the company an approach to GDPR. Additionally, in Section V of the SOC 2
report, Acme Co. decided to include a mapping of their Privacy Controls to
GDPR, giving them a practical means of demonstrating and communicating
how they were complying with GDPR. Acme Co. plans to add ISO 27701
(Privacy Information Management System) to the scope of their ISO 27001
audit, further helping them mature their privacy program and third-party
assurance.
Since the ISO 27001 and SOC 2 efforts were combined for this year, Acme
Co. was very quickly able to obtain a SOC 2 Type 1 report and is on track to
have their SOC 2 Type 2 within their desired time frame.
18
CASE STUDY
Bravo Company
Bravo Company is a large B2B SaaS company in the Health IT space. The
company has two business units, both handling ePHI and subject to HIPAA
Compliance. The company has a current HITRUST certification, having
completed its first HITRUST i1 validated assessment last year.
The company has identified a new vertical for its SaaS offerings outside the
Health IT space and is now being asked to become SOC 2 compliant within
the next 12 months.
Leadership expressed concerns about adding an additional audit to an
already busy schedule. While increased costs were discussed as a factor, the
biggest real cost to the firm is in heat loss to the team from multiple audit
cycles and everything that comes with that: walk-throughs, observations, and
evidence collection. Despite their concerns, leadership has communicated
a commitment to doing SOC 2, as this will help them be competitive in this
new vertical.
The net result was that a single, combined HITRUST/SOC 2 audit from
risk3sixty resulted in a SOC 2 report being issued by risk3sixty and a HITRUST
audit certification being issued by HITRUST (upon QA review of risk3sixty’s
assessment work). This saved Bravo Company many additional person-
hours and kept their external audits to one per year. As a result of this
strategy, the company could focus more of its energy on expanding into the
new vertical instead of conducting a second annual audit.
19
Let’s Get Started
Programs That Leave No Doubt
risk3sixty is a nationally recognized security,
privacy, and compliance advisory firm serving firms
across the United States and Globally.
By the Numbers
✓ 100% certification and compliance
Clients across the United States and
17 countries
20