ISO 270001 or SOC 2. Which is right for your business? It’s a common question.
Carved-Out vs Inclusive Method
What is the carved-out vs inclusive method?
Simply put, these are two different methods for SOC reporting of your subservice organizations specifically. Subservice organizations include managed service organizations, data center providers, cloud providers, etc.
Think about modern-day businesses. It is no longer common practice to develop your own system end-to-end. You would rather make use of a cloud provider such as AWS, MS Azure, or GCP, as it is scalable, more convenient, and already developed with information security in mind. This makes the organizational life cycle faster, safer, and easier. Subservice organizations offer a ton of services that you can make use of, including tools such as network security, firewalls, databases, storage facilities, remote computing, identity and access management, development, and security solutions. They are all cloud based, and they are all able to be utilized based on your requirements. As a small organization, there is often a limited budget, and so these services offer scalability as your organization grows, and more resources are required.
Back to these two methods. Each method is a way in which an organization handles services that are outsourced.
In the carved-out method, the control activities that the subservice organization performs are excluded from the scope of the report, whereas with the inclusive method (as the name suggests), they are included.
How subservice organizations are presented in SOC reports
Now that we have differentiated between them, we need to ascertain which is appropriate for you. Of course, the risk upfront is that there is a gap in control coverage. Think about the situation where you make use of a cloud provider/ third-party vendor tool, and rely on their service provided (which you utilize in your daily business), and then the situation where this specific service is not covered in their SOC 2 report. Then what? This is the worst possible scenario, and so if something were to happen, who is the guilty party?
With this in mind, determining the appropriate method should be a little clearer.
If you have a situation where you use a third-party vendor who undergoes SOC 2, and included in the scope of their report is the service(s) that you make use of, you can have a reasonable amount of assurance that you would not need to perform an inclusive report of the third-party provider. The services are covered already in the third-party’s report, so there is no need to duplicate it. Also keep in mind that if you were to go ahead with the inclusive method, you as the organization will need to obtain a management assertion from the third-party/outsourced vendor.
In contrast, the carved-out method is a somewhat more common method, due to the expense and involvement of the subservice organization in the inclusive method. If you were to utilize the inclusive method, the subservice organization essentially becomes a part of your audit process. This approach includes all controls and processes addressed through services provided by your sub-service organization in your testing procedures and report.
The carved-out method is a simpler, and easier approach for the organization. However, it does not entail that you ‘exclude’ these services and controls, and carry on.
If you were to utilize the carved-out method, you, as the organization, have to review the subservice organization and their services provided to you on a regular basis, and ensure they are aligned and appropriate to the objectives of your business.
Within the SOC 2 process, implementing the carved-out method would entail that you include a control around this review process. For example, if you utilize AWS as your subservice organization, and use the carved-out method, you would be responsible for obtaining the SOC 2 report of AWS on a regular basis, reviewing their controls (in particular, their Complementary User Entity Controls), and ensuring that they are defined, aligned, and appropriate to the objectives of your organization. This will then prove to the auditor that you have appropriate processes in place, and so the carved-out method is appropriate.