Today's thought deals with a report that has been around for a while, but it is gaining more and more import into the market place - it’s the SOC 2 report.
What we are finding is that a lot of organizations are thinking:
"I wonder if there are other things that I can add to this SOC 2 to take advantage of the time and investment that is going into this report?"
Maybe they are undergoing a SOC 2 examination that is going to include security categories, or maybe processing integrity and confidentiality as well. But they also have stakeholders that are involved in the healthcare industry, and they would like to take additional criteria like HITRUST and merge that into a single report.
Now, of course you can do that with a SOC 2 + HITRUST, but the question is—should you always be looking to take your existing SOC 2 and merge it with an additional set of subject matter or additional criteria?
Now, this is something that is certainly allowed and available for you in the SOC 2 guidance, but you want to make sure you take time to do some things that are very important—namely planning it out. Oftentimes organizations, when they begin to say “okay, let’s take our SOC 2 and let’s add to it,” they say maybe there are some safeguards from the HIPAA regulation, maybe the security rule on breach notification rule, maybe there are some elements of HITRUST that they want to add into the SOC 2 to paint a more wholistic picture of what it is they are doing. Or maybe there are some things outside of the security program or information security program that they would like to have included in the report as well. All wonderful ideas, and in certain instances they may have the appropriate audience that could use that type of information.
The big thing is in the planning step, though – you never want to include criteria that will be added to a report that maybe is going to be incongruent with the type of audience that is going to use the report. Maybe it makes sense to go the HITRUST certification route for those covered entity clients of yours, and keep it separate from SOC 2 clients that are maybe using a different service altogether. The SOC 2, plus any additional criteria, are going to first look at making sure that you satisfy those SOC 2 criteria – whether is it security, or processing integrity and confidentiality, for example, as well as these additional criteria that may serve a different set of audience needs. So, what you don’t want to do is add those together in a way that isn’t thoughtful or deliberate. Certainly, you can take advantage of what you can, but you want to make sure you always preserve the efficiency of such an undertaking and the usefulness of that report.
So, the next time you have the thought of taking an existing SOC 2 report and adding additional subject matter to it – perhaps it is a good idea, but make sure that you properly plan and execute it accordingly.