At this year’s HITRUST conference, the SOC 2 and HITRUST CSF session was well-attended by many interested in learning more about the benefits of SOC 2 and HITRUST. As the attendance of this session grows each year, the audience is increasingly more confident in its questions, observations, and use of the combined assessment. The allure of this joint assessment is the seamless audit experience that allows reuse of the test materials for multiple goals and reporting options. Mantras like “assess once, report many” are real, and extremely relevant. Those who have mastered the process spoke to participants, giving them insight into the key success factors.

Drew Hendrickson, LBMC Information Security Shareholder, informed the audience that “Choosing the right partner with experience is key. The primary success factor is working with your audit partner to make sure that your goals are clearly identified, timing is defined, and all reporting options are known upfront.”

What should you consider?

When embarking on the combined audit approach, one must understand that the HITRUST CSF is a security and privacy framework, initially built on ISO 27001. Over time, the CSF has evolved to include a significant number of standards, regulations, and business requirements, and is broken down into 14 high-level control categories, 46 control objectives, and 149 control specifications.

The AICPA SOC 2 Trust Services Criteria is a reporting framework assessed against one or more of 5 categories: security, availability, confidentiality, processing integrity, and privacy. HITRUST maintains a mapping between the AICPA TSC and the HITRUST CSF to identify how they align.

Understanding that SOC reports are based on a framework of reporting, and HITRUST CSF is based on a security and privacy control framework, the decision maker is able to navigate toward selecting a report and control framework for their organization.

The bottom line is that the decision between SOC 2 and HITRUST is driven by contract requirements. So, why not do them together rather than separately?

What are your options?

To summarize:

  1. SOC 2 Report: A report issued by a CPA firm expressing an opinion on the fairness of the presentation of management’s description of controls and the suitability of design of controls (type 1) or the fairness of presentation of management’s description of controls and the suitability of design and operating effectiveness of controls (type 2) relevant to Security, Availability, Confidentiality, Processing Integrity, and/or Privacy.
  2. HITRUST CSF Certification: a certified or validated report issued by HITRUST based on the work of an independent, approved HITRUST assessor.
  3. SOC 2 + HITRUST CSF: A report issued by a CPA firm expressing an opinion on the fairness of the presentation of management’s description of controls and the suitability of design and operating effectiveness of controls relevant to the security, availability, and confidentiality trust services criteria, as well as the HITRUST CSF. If the CPA firm is not also an approved HITRUST assessor, they must license the HITRUST CSF framework for use. The HITRUST CSF control work is not submitted to HITRUST, and a separate HITRUST CSF report is not generated. The organization does not receive an opinion from HITRUST regarding validation or certification status. Because the report doesn’t contain HITRUST certification but does contain a CPA firm’s opinion, consumers should be aware of the possibility that scope and assessment procedures may not exactly align with what would occur during a HITRUST assessment. However, the CPA firm is attesting that the controls, including those identified from the HITRUST framework, were appropriately designed and operating effectively. Additionally, the work is subject to AICPA standard, as any SOC report is required to be.
  4. SOC 2 + HITRUST CSF + CSF Certification: Organizations that have engaged a CPA firm to express a SOC 2 + HITRUST CSF opinion and have achieved HITRUST CSF certification can obtain one combined report. Essentially, the report will include the details described above in option 3, and additionally include the HITRUST CSF certification report.

How do you know which one to use?

The key to knowing what report to use is knowing what your customer wants and what your organization requires from its audit process.

Customer contracts, timing, and scope needs can answer the question of which assessment is needed. The organization’s decision should be made with full management support. If your organization is lucky enough to only need a segment of your network or a single application tested, the scope of that project may lend well to a HITRUST assessment. If your organization is working within the banking industry or otherwise requires a representation of both security and processing integrity, maybe a SOC 2 + HITRUST will work better.

Organizations who desire both SOC 2 reporting and HITRUST CSF certification can realize significant time efficiencies and cost savings with the joint assessment, which leverages the synergies between the HITRUST CSF and AICPA TSC.

Finally, if your organization is adding the HITRUST assessment onto a long list of compliance and audit types, an assessor partner who can consolidate that work efficiently can be paramount to all other decisions.

Now in HITRUST’s fifth year of collaboration with the AICPA, it was easy to tell that participants had been doing their homework! Primary questions were asked about clarifying remarks related to the report types, and when to use each. Most already knew that each requires special qualifications to perform the assessment types, but to do both at the same time requires that the CPA firm also be an approved assessor by HITRUST. LBMC Information Security has been approved for 10 years!

Do you have questions about which report options are right for your organization? Contact LBMC Information Security to learn more and get started on a consultation!

Learn more about HITRUST and SOC 2