Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Do You Need an Enterprise Services SOC 2 Examination? Blog Feature
RYAN MACKIE

By: RYAN MACKIE

Print/Save as PDF

Do You Need an Enterprise Services SOC 2 Examination?

SOC Examinations | SOC 2

As the need for SOC 2 examinations continues to grow domestically as well as internationally, many organizations now either find themselves taking on more and more assessments or trying to appease a client base that requires a SOC 2 examination when the typical product or platform approach may not apply. When these situations crop up, we are seeing more adoption of what’s known as an enterprise services SOC 2 examination.

As a leading provider of SOC reports with over two decades of experience in these examinations, we’re very familiar with all the different approaches to these reports, having helped various types and sizes of organizations find the best solutions to satisfy their needs.

You may not understand what we mean when we say “an enterprise services SOC 2 report” yet, but in this blog article, we’re going to explain the two increasingly common use cases for this kind of SOC 2 examination so that you understand this option and whether it suits your organization.

2 Use Cases for Undergoing an Enterprise Services SOC 2 Examination

 

These two general use cases for an organization to pursue an enterprise services SOC 2 examination are:

  • To simplify a growing compliance portfolio as an organization with increasing obligations; or
  • To fulfill a customer request as a non-typical service provider.

1. To Simplify a Growing Compliance Portfolio

 

As organizations grow and either develop and launch additional services that are unique in design and system—or if they add additional services to their product portfolio through acquisition—the challenge becomes internal management of the extensive compliance program and making the external assessments as efficient as possible.

Something that can help is carving out your enterprise services from your product or platform-specific SOC 2 examinations into their own SOC 2 examination and treating those services as a subservice organization within your product or platform-specific SOC 2 examination report (more or less).

Of course, you’re likely wondering, “Why would I take on another SOC 2 examination if I’m already doing SOC 2 examinations for other products or platform services?” How can adding another report simplify my compliance obligations?

Consider your other SOC 2 obligations—they all likely share common controls (typically enterprise level) that must be tested. It’d be more efficient if you could test those once and apply the results to your product or platform-specific SOC 2 reports—the issue is that all your reports may not have the same examination period, which means you’re likely retesting those common controls multiple times throughout the year and that’s heavily taxing on your teams in human resources and other shared services.

Getting a SOC 2 report solely for your enterprise services can alleviate some of that burden. The examination period would be independent of those SOC 2 reports that rely upon it—it’d be no different than carving out a cloud hosting service from a SOC 2 examination in that the periods do not have to align.

Moreover, adding this extra report would allow you to actually test controls once and apply them multiple times, as the application of those controls would be through the carved-out report. From a reporting perspective, your product or platform-specific SOC 2 report would treat those common/enterprise controls no different than other subservice organization controls—noting the related criteria and control in the Section 3 System Description as well as within Section 4.

2. To Satisfy a Client Request (Non-Typical Service Providers)

While SOC 2 examinations are typically geared toward organizations that store, process, or transmit any kind of customer data, there’s a small but growing trend of requests from customers who want to see SOC 2 reports from businesses providing services that don’t quite fit the standard’s usual profile.

Generally, these requests stem from concerns regarding that organization’s security posture/cybersecurity, and while a SOC for Cybersecurity examination could also serve as an alternative, you can still fulfill the specific request for a SOC 2 that just covers your enterprise services.

That being said, going this route may require more due diligence in properly scoping your system(s), as typically, with SOC 2, the scope is solely focused on a specific product or platform. Despite the potential challenge, this can be done—your enterprise services scope would be focused on your organization as well as relevant commitments (per your selected in-scope criteria) that you’ve made to internal or external users.

Nonetheless, if you do decide to pursue an enterprise services SOC 2 as a non-typical provider, be careful not to allow scope creep to distract you from what should be clear boundaries for your enterprise services SOC 2 scope. Having your scope clearly defined within the Section 3 System Description will be critical—not only for your organization and the assessor performing the examination but also for readers of the report.

And when all that’s set and done and you’ve completed your SOC 2 examination of your enterprise services, you’ll have a readily available report for your customers demonstrating that you have the necessary controls and processes in place to support your commitments to them and the related in-scope criteria.

Pros and Cons of an Enterprise Services SOC 2 Examination

 

As right as the solution may sound for your needs, let’s put all your considerations succinctly:

Potential Advantages Gained

Potential Drawbacks

Level the Competitive Playing Field: Even aside from the two use cases mentioned above, an enterprise services SOC 2 report can help satisfy customer needs and provide a compliance advantage over competitors.

Additional Cost: Of course, if you add another report, it’ll cost, and that will affect your budget.

Lessen Audit Fatigue: For those maintaining a much larger compliance program, an enterprise services SOC 2 report can streamline those processes for involved teams—specifically, those shared services’ business units (e.g., human resources or vendor relations) that participate and support each product or platform-specific SOC 2 examination.

Complex Scoping: As we previously noted, scoping is critical—for either use case—and that could get complicated, since some organizations may have very mature controls and processes when it comes to the products or platforms they deliver to their customer base, but less mature controls and processes for internal operations.

Future Efficiencies: Not only will the test-one-use-multiple-times approach through the carved-out enterprise services report allow it to be used for other, current product or platform SOC 2 examinations but it will also streamline any future ones you may need to add.

 

Learn More About Efficient Compliance

 

Completing a SOC 2 examination for your enterprise services may seem like an unnecessary step, but depending on your circumstances, it could be a helpful move for your organization. Now that you know more about the typical and specific use cases, as well as the pros and cons of pursuing an enterprise services SOC 2 report, you can move forward knowing you’ve explored these potential efficiencies/advantages.

As long-time cybersecurity assessment providers who provide a broad suite of services to clients with varying compliance needs, we’ve come to prioritize helping organizations achieve their goals thoroughly, but also expeditiously—to the point where we developed an entire methodology for managing multiple projects for a single client.

So, if you’d like to speak with us more about a potential SOC 2 examination for your enterprise services, we’d love to speak with you, but in the meantime, check out our other content that explores different options that can help your compliance initiatives progress more efficiently while still maximizing your investment:

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.