SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Do You Need an Enterprise Services SOC 2 Examination?

SOC Examinations | SOC 2

As the need for SOC 2 examinations continues to grow domestically as well as internationally, many organizations now either find themselves taking on more and more assessments or trying to appease a client base that requires a SOC 2 examination when the typical product or platform approach may not apply. When these situations crop up, we are seeing more adoption of what’s known as an enterprise services SOC 2 examination.

As a leading provider of SOC reports with over two decades of experience in these examinations, we’re very familiar with all the different approaches to these reports, having helped various types and sizes of organizations find the best solutions to satisfy their needs.

You may not understand what we mean when we say “an enterprise services SOC 2 report” yet, but in this blog article, we’re going to explain the two increasingly common use cases for this kind of SOC 2 examination so that you understand this option and whether it suits your organization.

2 Use Cases for Undergoing an Enterprise Services SOC 2 Examination

 

These two general use cases for an organization to pursue an enterprise services SOC 2 examination are:

  • To simplify a growing compliance portfolio as an organization with increasing obligations; or
  • To fulfill a customer request as a non-typical service provider.

1. To Simplify a Growing Compliance Portfolio

 

As organizations grow and either develop and launch additional services that are unique in design and system—or if they add additional services to their product portfolio through acquisition—the challenge becomes internal management of the extensive compliance program and making the external assessments as efficient as possible.

Something that can help is carving out your enterprise services from your product or platform-specific SOC 2 examinations into their own SOC 2 examination and treating those services as a subservice organization within your product or platform-specific SOC 2 examination report (more or less).

Of course, you’re likely wondering, “Why would I take on another SOC 2 examination if I’m already doing SOC 2 examinations for other products or platform services?” How can adding another report simplify my compliance obligations?

Consider your other SOC 2 obligations—they all likely share common controls (typically enterprise level) that must be tested. It’d be more efficient if you could test those once and apply the results to your product or platform-specific SOC 2 reports—the issue is that all your reports may not have the same examination period, which means you’re likely retesting those common controls multiple times throughout the year and that’s heavily taxing on your teams in human resources and other shared services.

Getting a SOC 2 report solely for your enterprise services can alleviate some of that burden. The examination period would be independent of those SOC 2 reports that rely upon it—it’d be no different than carving out a cloud hosting service from a SOC 2 examination in that the periods do not have to align.

Moreover, adding this extra report would allow you to actually test controls once and apply them multiple times, as the application of those controls would be through the carved-out report. From a reporting perspective, your product or platform-specific SOC 2 report would treat those common/enterprise controls no different than other subservice organization controls—noting the related criteria and control in the Section 3 System Description as well as within Section 4.

2. To Satisfy a Client Request (Non-Typical Service Providers)

While SOC 2 examinations are typically geared toward organizations that store, process, or transmit any kind of customer data, there’s a small but growing trend of requests from customers who want to see SOC 2 reports from businesses providing services that don’t quite fit the standard’s usual profile.

Generally, these requests stem from concerns regarding that organization’s security posture/cybersecurity, and while a SOC for Cybersecurity examination could also serve as an alternative, you can still fulfill the specific request for a SOC 2 that just covers your enterprise services.

That being said, going this route may require more due diligence in properly scoping your system(s), as typically, with SOC 2, the scope is solely focused on a specific product or platform. Despite the potential challenge, this can be done—your enterprise services scope would be focused on your organization as well as relevant commitments (per your selected in-scope criteria) that you’ve made to internal or external users.

Nonetheless, if you do decide to pursue an enterprise services SOC 2 as a non-typical provider, be careful not to allow scope creep to distract you from what should be clear boundaries for your enterprise services SOC 2 scope. Having your scope clearly defined within the Section 3 System Description will be critical—not only for your organization and the assessor performing the examination but also for readers of the report.

And when all that’s set and done and you’ve completed your SOC 2 examination of your enterprise services, you’ll have a readily available report for your customers demonstrating that you have the necessary controls and processes in place to support your commitments to them and the related in-scope criteria.

Pros and Cons of an Enterprise Services SOC 2 Examination

 

As right as the solution may sound for your needs, let’s put all your considerations succinctly:

Potential Advantages Gained

Potential Drawbacks

Level the Competitive Playing Field: Even aside from the two use cases mentioned above, an enterprise services SOC 2 report can help satisfy customer needs and provide a compliance advantage over competitors.

Additional Cost: Of course, if you add another report, it’ll cost, and that will affect your budget.

Lessen Audit Fatigue: For those maintaining a much larger compliance program, an enterprise services SOC 2 report can streamline those processes for involved teams—specifically, those shared services’ business units (e.g., human resources or vendor relations) that participate and support each product or platform-specific SOC 2 examination.

Complex Scoping: As we previously noted, scoping is critical—for either use case—and that could get complicated, since some organizations may have very mature controls and processes when it comes to the products or platforms they deliver to their customer base, but less mature controls and processes for internal operations.

Future Efficiencies: Not only will the test-one-use-multiple-times approach through the carved-out enterprise services report allow it to be used for other, current product or platform SOC 2 examinations but it will also streamline any future ones you may need to add.

 

Learn More About Efficient Compliance

 

Completing a SOC 2 examination for your enterprise services may seem like an unnecessary step, but depending on your circumstances, it could be a helpful move for your organization. Now that you know more about the typical and specific use cases, as well as the pros and cons of pursuing an enterprise services SOC 2 report, you can move forward knowing you’ve explored these potential efficiencies/advantages.

As long-time cybersecurity assessment providers who provide a broad suite of services to clients with varying compliance needs, we’ve come to prioritize helping organizations achieve their goals thoroughly, but also expeditiously—to the point where we developed an entire methodology for managing multiple projects for a single client.

So, if you’d like to speak with us more about a potential SOC 2 examination for your enterprise services, we’d love to speak with you, but in the meantime, check out our other content that explores different options that can help your compliance initiatives progress more efficiently while still maximizing your investment:

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.