While SOC 2 and HITRUST are both created to help verify an organization’s ability to demonstrate effective security and privacy practices, they differ in a variety of ways. One of the main differences between a SOC 2 and HITRUST CSF is that a SOC 2 is an attestation report that is mapped to the COSO framework, while the ultimate goal of a HITRUST review is certification.
Understanding the Frameworks
HITRUST CSF is a security and privacy framework, initially built on ISO 27001/27002. Over time, the CSF has evolved to include a significant number of standards, regulations, and business requirements, and is broken down into 14 high-level control categories, 49 control objectives, and 156 control specifications. HITRUST has 3 certification options varying by strength of assurance.
The AICPA SOC 2 Trust Services Criteria is a reporting framework assessed against one or more of 5 categories: security, availability, confidentiality, processing integrity, and privacy. The SOC 2 is meant for a broad range of users that need detailed information and assurance about the controls at a service organization relevant to these criteria of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
What are your options?
The table below provides the characteristics associated with SOC 2 and HITRUST and some of the differences between them:
| Characteristics | SOC 2 | HITRUST e1 | HITRUST i1 | HITRUST r2 |
| Length of Engagement | 6-12 weeks | 4-6 weeks | 6-8 weeks | 12-16 weeks |
| Who is the Governing Body? | AICPA | HITRUST Alliance | ||
| Who can conduct the audit? | CPA Firm | HITRUST Authorized External Assessor | ||
| How is the audit conducted? | Against a company’s controls mapped to the AICPA’s Trust Services Criteria (Security, plus any mix of Availability, Confidentiality, Processing Integrity, & Privacy) | Against defined HITRUST requirements. | Against defined HITRUST requirements. | Against HITRUST requirements. Regulatory & some scoping factors are at the company’s discretion to include or not include, impacting the number of requirements. |
| How is the audit reported? | Independent attestation report issued by the CPA firm | Provides a numerical range grade with a certain score required for certification – the certification report is issued by HITRUST. | ||
| How much flexibility does the framework provide? | Trust Services Criteria supplied by AICPA must be met but can select the optional criteria and has flexibility in defining management’s own controls | 44 defined requirements | 182 defined requirements | Average of 360 requirements. The number of control requirement statements varies based on a risk-based approach to scale and select controls based on inherent risk factors and targeted authoritative sources. |
| What is the period of coverage? | A point in time (type 1) or reporting period of 6-12 months (type 2) | HITRUST is a forward looking (1 or 2 year) certification, but all requirements must be in place for 90 days in order to be included in the assessment. | ||
| Does it require a maturity rating to be established for controls? | No – while controls aren’t scored based on maturity model, a certain maturation should be in place to satisfy the applicable Trust Services Criteria | Yes | Yes | Yes |
| What is the lifetime of certification? | SOC reports are independent assertions on management’s controls by an independent CPA firm and are generally accepted for 1 year after issuance. | 1 year certification | 1 year certification; year 2 rapid recertification available | 2 year certification, with an interim assessment due by the 1 year anniversary of certification |
How do you know which one to use?
The key to knowing which report to use relates to your own company’s security goals as well as understanding customer contractual obligations, needs and wants and what your organization requires from its audit process. Here’s some questions to consider:
- What are the needs of our current or prospective clients, stakeholders, and references of the requirements outlined within any business agreements?
- How important are time and budget requirements?
- What flexibility do I need for my control environment?
Customer contracts, budget, timing, and scope needs can answer the question of which assessment is needed. The organization’s decision should be made with full management support. The SOC 2 provides a more flexible control definition as management defines the controls mapped to the required criteria and is often a more budget friendly option as fees are only paid to the CPA firm, whereas HITRUST requires fees both to HITRUST and the Authorized External Assessor firm with rigid requirements defined by HITRUST. HITRUST provides a certification that is frequently updated, both from a requirement and methodology standpoint as well as adapting to new threats in the security landscape.
But what if you need both?
Organizations who require both SOC 2 reporting and HITRUST CSF certification can realize significant time efficiencies and cost savings with a joint assessment, which leverages the synergies between the HITRUST CSF and AICPA TSC.
A SOC 2 + HITRUST CSF report is issued by a CPA firm expressing an opinion on the fairness of the presentation of management’s description of controls and the suitability of design and operating effectiveness of controls relevant to the security, availability, and confidentiality trust services criteria, as well as the HITRUST CSF. If the CPA firm is not also an approved HITRUST assessor, they must license the HITRUST CSF framework for use. The CPA firm is attesting that the controls, including those identified from the HITRUST framework, were appropriately designed and operating effectively. Additionally, the work is subject to AICPA standard, as any SOC report is required to be.
Whichever option is best for your organization, choosing the right audit partner with experience is key. The primary success factor is working with your audit partner to make sure that your goals are clearly identified, timing is defined, and all reporting options are known upfront.
Do you have questions about SOC or HITRUST? Contact LBMC to learn more and get started on a consultation!
Content provided by LBMC cybersecurity professional, Robyn Barton.