In a recent Linford & Co. article, Partner Richard Rieben illuminated some of the growing problems with the SOC 2 assurance – particularly mentioning check-the-box audits, the lack of quality inherent in bargain-basement assessments, and threats to independence. These are all problems that go largely unchecked due to the lack of oversight from a governing body.
So, how do we fix a system where “trust” has become a commodity? One of the most compelling answers may lie in HITRUST’s “Validated Trust” concept. Simply put, Validated Trust reassures us that a known entity (HITRUST) has reviewed and approved the assessment. It adds a level of assurance that is enhanced from simply a “third-party opinion.”
Trust vs. Validated Trust: Solving the “Rubber Stamp” Problem
A SOC 2 report is only as good as the issuing entity. As a former CISO, I was frequently handed SOC 2 reports from firms I’d never heard of and knew nothing about. The primary weakness with this traditional “trust” model is the lack of a secondary filter or consistent Quality Assurance process. From the “big 4” down to the boutique audit firms, literally hundreds of organizations will issue a SOC 2 report. Even in the industry, as an assessor, I don’t have any idea of the quality, the rigor, or the commitment to accuracy, integrity, and independence that many of these firms exhibit. The SOC 2 asks you to trust a firm you may never have heard of before. HITRUST, instead, asks you to trust, well…HITRUST.
Each HITRUST assessment has been validated by a mandatory third party – HITRUST itself. Once the third-party HITRUST assessor has completed their fieldwork, the assessment is passed through to HITRUST’s QA. This secondary layer of scrutiny demonstrates the assessor has done the work, documented the findings, and retained the evidence necessary to provide a report that is less likely to be fabricated, stretched, or, as is recently being seen with other frameworks, simply inaccurate.
This decoupling of the report issuance from the auditor’s hands provides an enhanced level of trust in the report without necessitating personal knowledge or tedious research into the nature of the assessment firm.
Prescriptive vs. Flexible: Why HITRUST’s Rulebook Leaves Less Room for Risk
The fundamental difference between SOC 2 and HITRUST lies in the “what” and the “how.” In a SOC 2 engagement, the auditor uses a flexible attestation standard. This means the organization identifies its own control activities to meet broad objectives. While this flexibility sounds like an advantage, it often results in “weak” controls being mapped to “strong” requirements. If an organization chooses a low-bar control to satisfy a Trust Services Criterion, and the auditor accepts it, the resulting report technically meets the standard but leaves the organization and its customers exposed to significant risk.
A quick example that comes to mind is where SOC 2 Controls CC6.6 and CC6.8 require “The entity implements logical access security measures to protect against threats from sources outside its system boundaries,” which should include email security measures, but frequently only looks at firewall and border security controls. HITRUST’s r2 specifically and clearly requires “The organization implements email authentication protocols (e.g., SPF, DKIM, and DMARC) to detect and prevent spoofing of the organization’s email domains.” This level of prescriptive detail and the third-party review of the evidence provided let the report reader know more about the environment assessed.
How HITRUST Closes the Gap
HITRUST’s Validated Trust tackles a major flaw in the system by using a straightforward framework. Instead of letting companies choose their own security measures, HITRUST sets strict, high-standard requirements that fit each company’s specific risks. You’re not just told to “protect your endpoints” – you’re given clear rules on how to secure, monitor, and verify them. Since these rules are the same across the industry, they create a high level of security that’s much stronger than the average SOC 2. By taking away the option to compromise on security, HITRUST provides enhanced evidence that a Validated certification means a company has a solid, tested security system in place, rather than just a collection of easy-to-get proof. This approach helps to establish a strong foundation for security, making it harder for companies to cut corners or negotiate their way out of robust security measures.
Independence & the Threat of the “Bundled Audit”
A major concern in the current landscape is the rise of bundled compliance, wherein software platforms “bake in” the cost of an audit directly into their subscription price. This model creates a potentially dangerous dependency. When an audit firm relies on a software vendor for its business, it is no longer working for the public trust; it is, in essence, working for the vendor. This financial incentive can make it difficult for an auditor to challenge the software’s output, often resulting in a “check-the-box” exercise where “green checkmarks” are prioritized over actual security testing.
HITRUST’s Validated Trust model mitigates this specific conflict of interest. Because HITRUST is a centralized certification body, it requires every assessment to be submitted to its own internal assurance team for a final, independent review. Even if a software platform and an auditor are closely partnered, HITRUST’s independent quality control is required. If the evidence isn’t what it needs to be, HITRUST will reject the submission, regardless of what the software vendor’s assessment says. This secondary layer of oversight shows that the final certification is a true reflection of security, not simply a byproduct of a commercial partnership.
The Price of “Validated” – What’s the Downside?
So, obviously, third-party review and quality assurance checks aren’t free. The average cost of a HITRUST assessment can be several times more expensive than a typical SOC 2 report, driven by higher assessor fees and additional costs paid directly to HITRUST. But even beyond cost, some other things can make a HITRUST assessment less appealing. Time can be a factor; there’s no “fast track” to a HITRUST assessment. While they’re not necessarily the year-long process that other framework assessments can be, the fact that the assessor doesn’t simply issue the report at the conclusion of fieldwork can add weeks (best case) to the timeline between beginning an audit and having a report in hand. Additionally, the prescriptive framework can conflict with business needs. It lacks the inherent flexibility of SOC 2’s less prescriptive approach and can lead to the testing and forced implementation of controls that may be more work than reward.
So is HITRUST “Better”?
The easy answer to this is, well, “maybe.” HITRUST provides an enhanced level of scrutiny that addresses the potential for a check-box audit while simultaneously adding a factor of “known quality” to an assessment, but it does so at a significant cost in time and money. As a former CISO, I preferred a HITRUST report to a SOC 2 report from an unknown firm. Knowing that HITRUST’s rigorous QA process had been applied to the evidence and the assertions of the third-party assessor gave me a level of comfort I didn’t have with a traditional SOC 2.
That said, as an entity that needed to be certified to reassure our clients of our commitment to security AND the actual consistent application of policies and procedures that enforced this commitment, a SOC 2 report from a reputable firm was obtainable with a much easier lift and a budget number that was easier to fund.
Is a good SOC 2 report a useful tool to assess a potential vendor or third party? Absolutely. But Verified Trust processes, like a HITRUST report, simply provide a more robust report that, in many ways, combats the recent proliferation of checkbox audits and assessments with independence concerns.
Ready to Move Beyond the SOC 2 Opinion?
Need more information? Worried that your SOC 2 may not be demonstrating the true rigor of your commitment to security? Linford & Co. is happy to discuss the pros and cons of multiple frameworks, including HITRUST. Contact us today to learn about our audit process and variety of audit services, which include SOC 2 audits, HITRUST certification, and more.
Brian has over 2 decades of experience in System Administration and Information Security, having worked at all levels of Government (City, County, State, and Federal) and with companies ranging from startup to Fortune-20. He transitioned to auditing in 2018 and has delivered audits and attestations as varied as SOC 1 and 2, HITRUST, FISMA, FERPA, PCI, CSA-star and HIPAA. With Linford and Co, he focuses primarily on HITRUST and SOC 2.