Services

Suite of Services

Schellman began as a SOC audit firm 20+ years ago. While we still issue more than 2,000 SOC reports each year, our clients’ trust has propelled our expansion. Today, we offer nearly 60 types of audits and assessments delivered by full-time employees. No outsourcing. No compromises.

Download a PDF of All Services

Learning Center

Our Technology

About Us

Schellman is the only Top 50 CPA firm focused exclusively on IT Compliance and Cybersecurity, and we’re the #1 service provider for FedRAMP Assessments.Our industry-leading NPS scores, client retention, and employee retention (low-to-no team churn = less audit fatigue) mean our clients experience greater continuity and quality.We also understand how distracting unplanned work can be, so we focus on client-centric KPIs to help keep your business moving uninterrupted.

ISO Certificate Directory

Services

View All Services

SOC & Attestations

SOC 1 / SSAE 18 Examination

SOC 2 Examination

SOC 3 Examination

SOC for Supply Chain

SOC for Cybersecurity

C5 Attestation

CSA STAR Programs

Payment Card Assessments

PCI DSS Validation

PCI SSF

PCI P2PE Validation

PCI PIN Assessments

PCI 3DS Compliance

ISO Certifications

ISO 27001

ISO 42001

ISO 27701

ISO 9001

ISO 22301

ISO-20000-1

Privacy Assessments

APEC Certification

GDPR Assessment

International Privacy Assessments

US State Privacy Assessments

Microsoft SSPA/DPR Assessment

Privacy Program Assessment

FERPA Assessment

EU Cloud Code of Conduct

Federal Assessments

FedRAMP®

CMMC / NIST SP 800-171

FISMA/NIST

ITAR

CJIS

IRAP

FTC Consent Decrees

Healthcare Assessments

HITRUST CSF Certification

HIPAA Compliance

HIPAA Express

EPCS-DEA Audits

Health Data Host (HDS) Certification

Penetration Testing

Application

Network

Mobile

Social Engineering

Cloud

Physical

Hardware and IoT

Advanced Series

Cybersecurity Assessments

Cloud Configuration Assessments

Ransomware Assessments

NIST Cybersecurity Framework Assessments

Schellman Software Security Assessment (S³A)

TISAX®

SWIFT Customer Security Programme

Internal Audit Co-Sourcing

Crypto and Digital Trust

Schellman Training

Sustainability Services

AI Services

Learning Center

Our Technology

About Us

Leadership Team

Corporate Social Responsibility

Careers

Strategic Partnerships

ISO Certificate Directory

The Definitive SOC 2 Jumpstart Guide

Contact a Specialist Build Your Compliance Roadmap

Have you ever seen those Easy Button gag gifts? Wishful thinking says that they have magical powers that’ll let you instantaneously solve your present problem with the simple press of a button.

Shaping your SOC 2 examination is NOT like pressing an Easy Button. In fact, we might say it’s more like Whack-a-Mole.

In the popular arcade game, you have a hammer and you try to smack each “mole” that emerges from its hole as quickly as possible. But the game throws a lot of moles at you in a rapid, random order, making the game difficult as you try to make the right decisions.

Given all the details that go into an examination, yes—SOC 2 is similar. To get the right kind of examination for you—the kind that will provide the right kind of assurances to your customers—you need to examine all the facets and pick the ones that suit your needs the best.

But how to do that? Exactly how many decisions are we talking about here?

You might be on your own the next time you face Whack-a-Mole in the arcade, but you aren’t here. SOC reporting is a staple service here at Schellman and after two decades of providing these services, we’ve got all the angles covered in terms of expertise.

Having helped hundreds of clients make these same determinations for their SOC 2 examinations, we now want to help you shape exactly what you want out of this kind of examination.

This is the complete guide to scoping a SOC 2 examination

We’ve divided this process into four sections that will progressively tailor all the options you have into just the ones you need. Read this and not only will you have a greater knowledge base on the particulars of SOC 2 internally, but you’ll be able to save time in sales calls, knowing exactly what you want from your auditor, and thereby get started quicker.

Confirming Your Starting Point

Jump to section

Deciding on Any Extras

Jump to section

Determining the Kind of Assurance You Want to Provide

Jump to section

Understanding the Relevance of Your Third Parties

Jump to section

Section 1:
Confirming Your Start Point

At Schellman, we can definitively say that we do more SOC 2 work than anything else in our suite of services. For a lot of organizations, it’s the first word on compliance they hear, and so they think, “sure, I’ll do a SOC 2.”

But is this the right starting spot for you? Let’s make sure that this is where you need to be. This section will help you confirm:

Do You Need a SOC 1 Instead?
How to Bridge From SOC 1 to SOC 2
Would You Prefer an ISO 27001 Certification Over a SOC 2?

Having read through all this, you’ll know early on whether this is the guide for you—or if you should seek further information on another service altogether.

1. Do You Need a SOC 1 Instead?

A SOC 2 examination can help you communicate assurances to your customers regarding your security, service availability, transaction processing, data confidentiality, and/or privacy. But its predecessor—SOC 1—can help in a different, yet beneficial, way because it instead focuses on the potential impact you could have on your customers’ financial reporting.

SOC 1 is much more niche than SOC 2, which is likely part of why the latter is chosen as a compliance launch point more often than not. But that doesn’t mean it doesn’t hold any value. You may find you need to pivot to SOC 1 if you:

Host customer systems (e.g., infrastructure as a service (IaaS), platform as a service (PaaS), etc.)
Host software in the cloud (e.g., software as a service (SaaS))
Process transactions (e.g., payroll, loan servicing, medical or insurance claims, inventory) or otherwise work with financial information
Are any of the following:
- A data center
- Colocation service provider
- Managed services provider
- A custodian for investment companies
- A mortgage service company

2. Have You Already Completed a SOC 1?

You certainly can also do both a SOC 1 and SOC 2 if you need to, but you may have already completed the former. If you have, here’s some great news—you’ve got a head start when it comes to shaping your SOC 2.

The steps you took to get through a SOC 1—i.e., completing a risk assessment, deriving appropriate and necessary control objectives, and collecting evidence to support those objectives—will helpfully transfer over when you bridge to your SOC 2.

Depending on other factors, like the Trust Service Categories you include—which we’ll get into later—you might be able to get away with providing the exact same evidence (though that’s not a guarantee). 3. The examination process of SOC 1 and SOC 2 is remarkably similar—in fact, your assessor bears much of the brunt of the difference. In examining your evidence that you’ll still need to provide, they’ll just be taking a viewpoint driven by your system description and primary service commitments rather than the one they had for your SOC 1 as related to the control over financial report.

3. Would You Prefer a SOC 2 or an ISO 27001 Certification?

Because, just to be clear, when you opt for a SOC 2, your auditor will assess your controls against the established criteria as laid out by the American Institute of Certified Public Accountants (AICPA).

In choosing this compliance initiative, you will be asking your auditors to measure your controls against a more operational and security-centric framework—there’s a preset baseline for information security that you’ll have to meet. Your assessors will determine whether or not you’re achieving your service commitments in one or more categories of criteria.

Now, there’s a reason SOC 2 is our staple service—compliance of this kind can benefit anyone charged with protecting data and delivering services. But before we get going on determining what yours specifically should look like, we have to ask: would you prefer (or get more benefit from) an ISO 27001 certification?

We’re not saying one is better than the other—we just want to make sure you’re taking the right steps for your organization.

Both SOC 2 and ISO 27001 are widely accepted and internationally recognized compliance standards, and both address your information security. But where your SOC 2 would be focused on your service commitments and your meeting of them, ISO 27001 wants you to implement a specific set of approved controls.

You see, ISO 27001 mandates that you construct an information security management system (ISMS) and there’s no flexibility on its requirements. However, the control set is so thorough that implementing it would also satisfy the Sarbanes–Oxley Act (SOX), NIST CSF (Cybersecurity Framework), and the General Data Protection Regulation (GDPR) of the European Union, among other benefits.

Achieving such a globally accepted level of security effectiveness could lead to efficiencies in your audit projects, but this certification does require a lot more ramp-up time to prepare and implement that ISMS than your SOC 2 would.

If you’ve got that time and your research demonstrates that perhaps this would make for a better concentration of your compliance efforts, check out our article on the ISO 27001 process to understand how it would all work.

(If, at the moment, you’re not enthused about the level of preparation ISO 27001 requires—or maybe you’re just set on the SOC 2—don’t worry. Should you choose to invest in that certification later, mappings exist to bridge between SOC 2 and ISO 27001.)

Section 2:
Deciding on Any Extras

Alright, you’ve considered all the other compliance options, and for you right now, it’s SOC 2 or bust. That means it’s time to make like Michelangelo and start carving your David of an examination.

Now that we’ve established that, let’s make sure you don’t want to add anything to this examination.

Depending on your customer base and what kind of use case you’re looking for, it may benefit you to add another report or to tack on more criteria to the SOC 2 itself. In this section, we’ll address some options you have for add-ons, including:

Should You Invest in a SOC 3 Too?
Do You Need a SOC 2 + Additional Criteria?

Maybe the standalone SOC 2 is perfect for your organization, but maybe it would suit your needs and those of your customers better to include further documentation or frameworks.

1. Should You Invest in a SOC 3 Too?

We already went over how you can bridge a SOC 1 or even do one of those simultaneous to your SOC 2. But what about a SOC 3?

If you ask us, a SOC 3 can be considered the fraternal twin of SOC 2—there are a lot of similarities:

They’re both conducted in accordance with the same, specific sections of the SSAE 18 standard.
Both report on your controls relevant to the Trust Services Categories of security, availability, confidentiality, processing integrity, and/or privacy (which we’ll get into later).

Right now, you’re thinking, if they’re so alike, why on earth would I pay more money for two of the same thing? We’re glad you asked.

The big difference between a SOC 2 and SOC 3 is in their reports:

Each contains different amounts of information.
Each has a different allowance when it comes to who can read and rely upon each report.

A SOC 2 is going to contain everything including all the tests completed and a full description of your system, whereas your SOC 3 will leave out the testing and abbreviate the description.

But it’s that last point that’s key.

You’re here because you want to provide some assurances to your customers that you’re protecting their data. A SOC 2 will help with that—you can provide them this report to see for themselves all your independently validated security measures.

However, a SOC 2 is restricted use, meaning its audience must be specified within the deliverable. So that works for your customers, but not so much in generating further general interest in your services or product.

But in contrast to their twin SOC 2, SOC 3 reports are general use, meaning you can hand it to anyone on the street should you so choose. For that reason, many organizations out there consider them powerful marketing tools—sure, they don’t contain everything, but they still can provide a decent overview of your compliance posture to someone considering you for their business.

2. Do You Need a SOC 2 + Additional Criteria?

As you contemplate adding on a separate SOC 3, you also need to think about whether you want to add criteria to your actual SOC 2.

If you’re going to invest in an audit, you should include everything you need to satisfy your customers’ demands. When you’ve chosen SOC 2, you should know that you do have the option to add more than just the standard SOC criteria for evaluating your system or product against.

You don’t have to, of course, but combining things does present a few advantages, like 2-in-1 testing—rather than two separate testing instances during two audits—less internal complications, and potential budget savings.

All that probably sounds pretty good, though really, we only recommend including other frameworks within your SOC 2 if your customers are making requests—or may make it in the near future—about other compliance assurances they’d like to see from you.

But you can’t just add anything you want to your SOC 2. Generally, acceptable additional criteria are derived from an IT control framework. Here are some common ones it may suit you to go ahead and incorporate:

HIPAA Security Rule

Adding these criteria and achieving compliance here would assure interested parties that you’re meeting the guidelines of the HIPAA laws and regulations regarding the transmission, processing, and storage of protected health information.

If you’re looking to host or process ePHI on behalf of a healthcare organization, it may benefit you to provide both the results of a SOC 2 examination and a HIPAA examination to their customers.

HITRUST Common Security Framework (HITRUST CSF)

Adding these criteria and achieving compliance here would assure interested parties that you’re meeting the guidelines of HITRUST’s proprietary CSF that leverages nationally and internationally accepted security and privacy-related regulations.

If you’re looking to provide an introductory level of assurance related to the HITRUST CSF and are not required to undergo a HITRUST CSF certification, it may benefit you to provide both the results of a SOC 2 examination and a HITRUST examination to your customers.

However, in the interest of full disclosure, there is a distinct difference between SOC 2+HITRUST and HITRUST certification in and of itself, so you may want to examine the distinctions more closely in case full certification may suit you better.

Cloud Security Alliance Security, Trust, Assurance, and Risk Attestation (CSA STAR)

There was a specific effort made to make this combination of SOC 2 Trust Service Criteria and the CSA Cloud Controls Matrix (CCM) possible.

If you’re using a cloud service provider (CSP) and want a better understanding of the maturity of their security programs, adding these additional criteria may provide additional assurance in that area.

NIST SP 800-53 Risk Management Framework

NIST SP 800-53 covers a series of control families and requirements that guide compliance with the Federal Information Security Management Act (FISMA). You can indicate the security level of the data stored on your system—low, moderate, or high—to further provide context for the controls in place to meet each SP 800-53 requirement.

This might be an especially beneficial direction to take for those wanting to do business with federal government agencies or government contractors. Your compliance with these criteria—which push further than that of just a SOC 2 report—would absolutely give them a helpful understanding of the level of data security you have.

---

These four frameworks are not the only options for inclusion you have regarding your SOC 2—they’re just the ones we get asked about most often. Each has its benefits, and you should know that if you do choose to add one in, that additional set of criteria will be tested and opined upon in the same manner as that within your SOC 2 examination.

Section 3:
Determining the Kind of Assurance You Need to Provide

It’s time to get down to the nitty-gritty of it all. With all the extras and options now decided, the fact of the matter is, if you’ve made it this far into our guide, you’re decided on a SOC 2 examination because you know how this process can help you. Now it’s time to establish exactly what you want out of it.

In this section, we’ll nail down all the particulars of your actual SOC 2 examination to ensure you can provide your customers with adequate assurance that they need within the capacity of your resources, including:

Type 1 or Type 2 – Which Report?
Which Trust Service Categories Should You Include?
Should You (Really) Include Privacy in Your SOC 2?

At the end of this, we promise you’ll know exactly what you want going into your first conversation with potential assessors you’ll vet to perform your tailored audit.

1. Type 1 vs. Type 2 – Which One is Best?

This is a hugely important question to answer because the ripple effect is drastic. Deciding on your report type will help begin to sketch out other important audit details, such as:

Your SOC 2 timeline
What about your controls will be tested
The effort that will be necessary from both your auditors and your internal resources
Your final SOC 2 examination price

Aside from being critical to your audit experience, the details and impact of these four elements can fluctuate depending on which report type you do choose, and that’s because the differences between Type 1 and Type 2 are dramatic:

Report Type	Review Period	Details Evaluated	What That Means	The Effect On Your Internal Resources
Type 1	Not applicable. Point in time as of a single day.	Design and Implementation of Controls.	A Type 1 report will provide you and your customers with what’s essentially a quick look and confirmation that you are doing what you say you’re doing within your control environment.	Generally, a Type 1 Report is both less expensive and requires less from the audit-relevant personnel on your team (and your chosen auditors).
Type 2	Typically a year, but at a minimum, 6 months.	Design, Implementation, and Operating Effectiveness of Controls	Type 2 reports take their sister Type 1 a step further in that they also assess your controls as they function over time—your customers will be assured that they are not just designed and implemented well, but that they also function consistently.	That extended timeline and added testing will also require more effort from your auditors—so expect higher fees—as well as from your personnel.

In terms of the level of assurance provided, the Type 2 is a clear step above the Type 1. But Type 1 exists for a reason—and it might be yours. Because despite the discrepancy between the meaning to your customers, a Type 1 can still be helpful if:

Your necessary turnaround time is quick.
- If you have a customer requesting a SOC 2 report from you, they may want it fast—so fast it doesn’t allow for the minimum 6 months a Type 2 examination requires. After all, Type 1 reports do still offer some assurance, and they can serve as a placeholder until you get through a Type 2.
You’d be more comfortable with a safety net of sorts.
- Type 1 examinations can also help you lay solid groundwork. If you’re nervous about jumping into a Type 2 and testing of that nature, a Type 1 will help you develop your control set and find any initial gaps you can remediate before you proceed to a Type 2—a double checking of your work, of sorts.
- Of course, if you’re brand new to SOC, you may want to back up even further to a readiness assessment, which would precede a Type 1 and establish your control foundation.

This decision on Report Type is pivotal, and there are questions you can ask yourself to clarify your path moving forward here. Factoring in your customer requests, the type of service/product being audited, and your timeline, as well as the availability of internal resources, will help you choose, but you can’t go truly wrong with either—it’s just about what’s going to suit your organization best.

2. Which Trust Services Categories Should You Include in Your SOC 2?

Choosing your Report Type will decide the audit’s effect on your organization and how much of your controls will be assessed. But the crux of every audit, SOC 2 included, is what’s evaluated, and that’s where the Trust Service Categories come in.

Five in total, they each contain criteria referred to as the Trust Services Criteria (TSCs) that the controls relevant to your scoped service/product will be stacked against to determine if they are compliant or not. But while these are the backbone of the examination, it’s still up to you to determine which categories to include (aside from the Security category, which is requisite with very few exceptions).

Trust Service Category	Details
Security	Required for Every SOC 2 Examination 33 Criteria* Controls Assessed to Determine: Is your service/product protected against unauthorized access, use, or modification?
Availability	5 Criteria Controls Assessed to Determine: Is your service/product available for operation and use as promised? You Might Include This Category If: You have promised to ensure some level of accessibility to the product or service being audited.
Processing Integrity	3 Criteria Controls Assessed to Determine: Does your service/product do everything it’s supposed to regarding the data flowing through it? You Might Include This Category If: You have specific data input, data processing, or data output responsibilities that you perform on behalf of your customers through manual processes.
Confidentiality	2 Criteria Controls Assessed to Determine: Is the information designated as confidential protected? You Might Include This Category If: There is data flowing through your scoped system or service whose access and disclosure are restricted to certain people or organizations.
Privacy	18 Criteria Controls Assessed to Determine: Does your service/product collect, use, retain, disclose, and dispose of personal information in conformity with both your privacy notice (if you have one) and the set criteria/privacy principles (GAPP)? You Might Include This Category If: There is personal data gathered directly from individuals that is flowing through your scoped system—personally identifiable information (PII) is classified as that which can identify a specific individual (e.g., name, address, Social Security number, among other things).

SOC 2 is such a popular standard for compliance in part because of its breadth, but that doesn’t mean that you need to include every trust service category in your examination. Your chosen categories and resulting TSCs should be predicated entirely on your service commitments and requirements.

As was stated earlier, you must include the Security category, but to determine if you should include any of the others, it will help to understand these things:

Did you make any specific commitments to make your scoped system available/accessible to customers?
Have you agreed to ensure the integrity of any data stream your product/service is involved with?
Is there any data moving through your service/product that is confidential or private?

However, even if you have made commitments around these categories, that doesn’t mean you necessarily have to include them in your audit—especially if this is your first time through a SOC 2 examination. Organizations will typically begin with the bare bones—security, and sometimes availability—and they can do that because most of the time, customers aren’t requesting specific categories to be included.

They just want to see your SOC 2, so please understand that it’s perfectly acceptable to want to get your feet wet first. This is an annual examination, so you will be able to add categories later as time progresses.

3. Should You Include the Privacy Category in Your SOC 2?

Privacy, with its incredibly high stakes and personal implications, has always been a delicate and complicated landscape. In our experience, this has created some confusion over the Privacy Trust Service Category in particular, so let’s clear it up and fully finalize your tailored SOC 2.

First things first—if you do not handle PII, you should not include this category.

But if you are an organization that handles PII and have made service commitments to your customers accordingly, it may seem like a no-brainer that you should have your relevant controls evaluated to confirm you’re adhering to your promises.

Seems efficient to compact everything into one assessment, doesn’t it? But let’s break down the whys and why nots regarding the inclusion of the Privacy category:

Why Not Include Privacy

There are a lot of criteria and that translates to an increased workload/build-out of controls:

Aside from Security with its 33 criteria, the privacy category contains the most criteria with 18. Your auditor will also review your organization’s privacy notice and assess the controls related to all of your commitments articulated in that public-facing document. With so much to be evaluated, you’ll need to make sure you have an effective privacy information management system or a privacy program in place, and that it will stand up to the rigor of an assessment like SOC 2.

** We will say that a lot of that extra work might be mitigated if you’ve already been through this kind of audit—or another, separate privacy assessment—since it’s likely your infrastructure would already be in place.

Why Include Privacy

It will provide assurances regarding your privacy safeguards: The SOC brand is known and widely accepted. Having your privacy controls evaluated against this category’s criteria would communicate that you’re protecting sensitive data ably because among the things that will be evaluated are:

Relevant policies and procedures
Specific logical access and IT security
Authentication and authorization mechanisms
Detection and notification systems
Notification procedures in the event of unauthorized disclosure
Monitoring controls

You’ll also get a better idea of where you stand with these privacy controls: If you include this category, the audit results will point out inadequacies and where you need to mature your processes and architecture around PII.

Why Not Include Privacy

There are a lot of criteria and that translates to an increased workload/build-out of controls:

If you handle PII, you’ve likely made promises to protect it to your market, and having a third party come in to see how well you’re fulfilling those promises makes complete sense. But as we said earlier, the privacy landscape is complicated—and it’s also vast. There are alternatives to providing these particular assurances to customers—alternatives that would be separate from your other information security being evaluated in your SOC 2 and also suit your organization and resources better.

Before you settle on including the Privacy category, look into these 3 frameworks below before you commit to that increased workload and more complicated SOC 2.

Because what we see most often is organizations pivoting away from this category and opting for an ISO 27701 certification instead. Ultimately, it’s up to you, but we would encourage you to delve into these options and their suitability before finalizing your SOC 2 to include privacy:

Download

Watch

Section 4:
Understanding the Relevance of Your Third Parties

Now that you know what you want out of your SOC 2, the last thing to do is to determine what role your associated third parties will play.

In this section, we’ll go over the two different methods for a SOC examination—carve-out and inclusive. Each has its unique approach to subservice organizations, so we’ll first provide some insight on how to distinguish those from other vendors.

Vendors vs. Subservice Organizations: What’s the Difference?
Which SOC Method? Carve-out or Inclusive?

1. Vendors vs. Subservice Organizations: What’s the Difference?

You may be among many organizations that rely on third parties to help provide your service or support your product. Now that you’ve decided to have a SOC 2 examination performed, it’s become necessary to classify these third parties and the parts they’ll play in said audit.

Only those considered subservice organizations might play a role in your SOC 2 examination—all subservice organizations are vendors, but not all vendors are subservice organizations:

What is a Subservice Organization?
A vendor is a subservice organization if they provide you with services/support AND either: Their controls, in combination with your own, are necessary to fulfill your selected SOC 2 Trust Services Criteria; or The description of their services is necessary for your customers to understand your system as it relates to the applicable trust services criteria.

What is a Subservice Organization?

A vendor is a subservice organization if they provide you with services/support AND either:

Their controls, in combination with your own, are necessary to fulfill your selected SOC 2 Trust Services Criteria; or
The description of their services is necessary for your customers to understand your system as it relates to the applicable trust services criteria.

To help further illustrate this, here are some examples:

Vendor	Subservice Organization
An organization that provides you with monitoring services, but you are responsible for reviewing the reports or alerts for unusual or suspicious activities or events. (You are responsible for that control activity and do not rely on the vendor.)	An organization that provides you with data center services. They are responsible for the related infrastructure, making them responsible for the physical and environmental security controls over said infrastructure.

Vendor

Subservice Organization

An organization that provides you with monitoring services, but you are responsible for reviewing the reports or alerts for unusual or suspicious activities or events.

(You are responsible for that control activity and do not rely on the vendor.)

An organization that provides you with data center services.

They are responsible for the related infrastructure, making them responsible for the physical and environmental security controls over said infrastructure.

2. Which SOC Method? Carve-out or Inclusive?

Now that you’ve categorized all your vendors and discerned which ones—the subservice organizations—will play a role in your SOC 2, it’s time to decide what kind of role they’ll have, and the naming conventions both hit the nail on the head.

Do you want to include your subservice organizations in your SOC 2 examination, or do you want to leave (carve) them out? Here’s an overview of what you need to know before making your decision:

Inclusive

What Does It Mean?

All controls subservice organizations would be included in the description of the system and testing. You would need to get a written assertion from that organization’s management, as well as a system description of theirs for inclusion in your report.

Considerations:

Your subservice organization(s) would need to agree to be audited as part of your examination, and that’s not always an easy ask.
You’ll also need to be prepared to discuss any exceptions found in their environment since they will be communicated through your report.

Carve-out (more common)

What Does It Mean?

Any controls from your subservice organizations would be excluded from the description of your system and testing.

Considerations:

This may be easier if you’re not sure you can get full cooperation from your subservice organization to be audited as part of your SOC examination.
If your subservice organization has a SOC report of its own, you can (with the permission of the subservice organization) provide that to your customers along with your own.
However, since your auditor will not be reviewing the subservice organization’s controls, you’d need to have a method of monitoring them in place to ensure their control environment is up to standard.

Inclusive

What Does It Mean?

Considerations:

Your subservice organization(s) would need to agree to be audited as part of your examination, and that’s not always an easy ask.
You’ll also need to be prepared to discuss any exceptions found in their environment since they will be communicated through your report.

The fact that this aspect involves either reliance on another organization(s) or compensating controls may make it seem particularly agonizing, but it’s important to understand each method’s caveats before settling on what to do about these relevant third parties.

And just so you know, regardless of which method you do choose, you must disclose the existence of any services provided by any subservice organizations in your report.

Next Steps for Your SOC 2 Examination

Deciding to proceed with a SOC 2 examination is a big step—but it may seem like that’s the only easy decision, since those that follow to shape exactly what you want out of this assessment just get more complicated. But now that you’ve read this comprehensive guide to the particulars of SOC 2 examinations, you know exactly what you need and want out of this audit, including what it’s going to take from your relevant vendors.

Your next step is to take all your answers to all these questions to different assessors and ask how they’ll make the entire process easier on you. We have content to help you with your auditor vetting process too:

Learn More

While we recognize that there are plenty of other firms—some of them big names—that might be a good fit to perform your SOC 2 examination, Schellman has performed SOC examinations for over two decades now, and SOC 2 remains our staple service.

We’d love to have the opportunity to answer any further questions you may have and perhaps even earn your business, so please do reach out to us to see if we’re a good match to perform your fully tailored SOC 2 assessment.

Get Started

Suite of Services

The Definitive SOC 2 Jumpstart Guide

This is the complete guide to scoping a SOC 2 examination

Section 1

Section 2

Section 3

Section 4

Section 1:Confirming Your Start Point

1. Do You Need a SOC 1 Instead?

2. Have You Already Completed a SOC 1?

3. Would You Prefer a SOC 2 or an ISO 27001 Certification?

Section 2:Deciding on Any Extras

1. Should You Invest in a SOC 3 Too?

2. Do You Need a SOC 2 + Additional Criteria?

HIPAA Security Rule

HITRUST Common Security Framework (HITRUST CSF)

Cloud Security Alliance Security, Trust, Assurance, and Risk Attestation (CSA STAR)

NIST SP 800-53 Risk Management Framework

Section 3:Determining the Kind of Assurance You Need to Provide

1. Type 1 vs. Type 2 – Which One is Best?

2. Which Trust Services Categories Should You Include in Your SOC 2?

3. Should You Include the Privacy Category in Your SOC 2?

Why Not Include Privacy

Why Include Privacy

Why Not Include Privacy

Understanding and Demonstrating Alignment with the GDPR

A Breakdown of FedRAMP Pen Test Guidance 3.0

How ISO 27701 Addresses a Privacy Program

Section 4:Understanding the Relevance of Your Third Parties

1. Vendors vs. Subservice Organizations: What’s the Difference?

2. Which SOC Method? Carve-out or Inclusive?

Inclusive

What Does It Mean?

Considerations:

Carve-out (more common)

What Does It Mean?

Considerations:

Inclusive

What Does It Mean?

Considerations:

Next Steps for Your SOC 2 Examination

3 Questions to Ask Your Single-Provider Cybersecurity Firm

5 Big Things to Consider When Choosing an Auditor

Schellman vs. Other Single-Provider Cybersecurity Services Firms

Section 1:
Confirming Your Start Point

Section 2:
Deciding on Any Extras

Section 3:
Determining the Kind of Assurance You Need to Provide

Section 4:
Understanding the Relevance of Your Third Parties