Enhanced SOC 2 reports are highly flexible tools that can incorporate multiple frameworks and industry standards into third-party assurance reporting. For Outsourced Service Providers (OSP’s), the benefits are even more significant. Consider that these businesses must often respond annually to hundreds of individual audit requests, customer questionnaires, and requests for proposals. Many of these requests require a separate analysis and response to the same or overlapping questions.

When organizations need OSPs to demonstrate compliance with various industry-specific or regulatory requirements, OSPs can integrate other frameworks including HITRUST, ISO 27001, CSA STAR, NIST, PCI DSS. For example, a control that meets one of the requirements of a SOC 2 Security TSP may also meet a particular NIST and ISO27001 security requirement.

Integration of multiple frameworks into SOC 2 Report

HITRUST (Health Information Trust Alliance)

This framework supports the Health Insurance Portability and Accountability Act (HIPAA), the US government’s security standards that all health plans, clearinghouses, and providers must follow.

An OSP claims processor must have access to HIPAA data in order to execute its responsibilities. To demonstrate that it is adequately safeguarding personal health information, it maps its controls to the HITRUST framework.


ISO 27001 is the international standard for securing information assets from threats and provides requirement for broader information security management.

A data center provider has data centers and clients around the world. It continues to get security questionnaires and requests for understanding how it manages security. Rather than addressing each questionnaire individually, the center chooses to compile an enhanced SOC 2 mapped with ISO 27001 to demonstrate its information security controls.

Cloud Security Alliance (CSA)

CSA, in collaboration with the AICPA, developed a third-party assessment program of cloud providers officially known as CSA Security Trust & Assurance Registry (STAR) Attestation

A data center provider possesses its clients’ information in both public and private clouds. Due to the unique security configurations, its clients have required a SOC 2 with STAR report.

PCI-DSS (Payment Card Industry – Data Security Standard)

This is a proprietary standard for organizations involved in the storage, processing and/or transmission of cardholder data (CHD). An OSP payment processor stores credit card information for future payments. Its customer wants to know the details of the OSP’s controls beyond the PCI certification. In situation where there is no PCI certification, there is a need to demonstrate what controls are in place.

NIST (National Institute of Standards and Technology)

The NIST Framework focuses on improving critical infrastructure cybersecurity. A company that maintains governmental contracts for building roads and bridges has contractual obligations to demonstrate how it meets the latest revision NIST. The enhanced SOC 2 reports demonstrate the OSPs information security and process controls that go beyond TSC principles.

About E Com Security SOC  2 Reports

E Com Security Solutions is recognised as one of the market leaders in security, privacy, and internal control services. We have a dedicated practice of risk and control specialists with deep industry focus and experience. We have assisted over 1000 Organisations on SOC 2 Reports and our opinion stating that your operating controls meet SOC 2 standards is likely to reinforce customer confidence in your company.

We use tailored approach that works for you – reducing the effort needed to gather required information while also helping you and your staff gain a clearer understanding of the SOC 2 requirements. We also have our proprietary processes, templates, and deliverables which allow us to accelerate every phase of the audit and reporting process while keeping you up-to-date in all phases of the engagement.