SOC 2 + CIS Controls

By Alan DeVaughan

In my last blog post (here), I discussed enhancing your SOC 2 examination by adding standards from the Health Insurance Portability and Accountability Act, as amended, (HIPAA) to your existing SOC 2 control set. This creates a SOC 2 + HIPAA examination report and allows covered entities or business associates to demonstrate compliance with the HIPAA Security, Privacy, and/or Breach Notification Rules.  

Many of our clients inquire about incorporating other standards into their SOC 2 exam. A common standard that is industry agnostic is the Center for Internet Security’s Critical Security Controls (CIS Controls). The CIS Controls are a set of best practices you can use to ensure you have a strong cybersecurity process in place. 

There are 18 control activities in CIS Controls Version 8. These control activities address fundamental areas of cybersecurity which should be in place in your organization. Adding these controls to your existing SOC 2 control set allows you to demonstrate compliance with multiple frameworks within one third-party examination report. 

Integrating CIS Controls into the SOC 2 Framework 

As a refresher, a SOC 2+ is the same as a standard SOC 2 Type 2 examination but has an additional control framework added such as the CIS Controls. The additional framework is noted in the SOC 2 auditor’s opinion and throughout the report. This provides more assurance that the additional controls are operating as expected. The auditor’s (e.g., Meditology’s) standard SOC 2 testing procedures apply to your standard SOC 2 control set plus the additional ones.  

One of your first questions is probably, “How much extra effort is involved in a SOC 2+ CIS Controls examination?” Great question! While that will depend on the size of your current SOC 2 control set, and the AICPA Trust Services Criteria (TSC) categories included in your current SOC 2 report, there is a great deal of overlap between the TSC Security category and the CIS Controls. There is a good chance most of the CIS Controls are already present in your existing SOC 2 control set. Therefore, there will not be much extra effort on your part to enhance your SOC 2 report with the additional CIS framework. 

As part of our SOC 2 process, we can map the CIS Controls to your SOC 2 control set and identify any gaps or missing controls. That will allow you to understand any remediation you need to perform before your next SOC 2 reporting period ends. We would be glad to provide additional information, discuss the best option for your organization, or answer any questions you may have. Please contact us and we’ll be in touch.  

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients with actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them.  

Our service lines span cybersecurity certifications, security risk assessments, penetration testing, medical device security, incident response, staff augmentation, and more. Our team is run by former CISOs and privacy officers who have walked in our client’s shoes, and our experienced consultants hold certifications spanning CISSP, CEH, CISA, HCISPP, CIPP, OSCP, HITRUST, and more. In addition, we maintain strong relationships with healthcare regulatory and standards bodies, including serving as HIPAA expert advisors to the Office for Civil Rights, providing us with a uniquely thorough perspective on the healthcare cybersecurity landscape.  

Together with our sister company, CORL Technologies, we serve hundreds of leading healthcare payers, providers, and business associates across the United States. 


Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading the firm's SOC 2 service line, he serves as a consultant team leader focused on advising healthcare clients of varying size and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries.  


Most Recent Posts
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More
Rise of Responsible AI Read More