Over the past few years, it seems like there is a new compliance framework that companies are required to follow every year. And many companies are trying to understand which one applies, how many are they required to use and frankly, how much it is going to cost. This blog will discuss two frameworks SOC 2 and HITRUST CSF. We will discuss what they are, whether they can be mapped, and if they can be used interchangeable or combined together.
What is SOC 2 Engagement?
According to the AICPA, a SOC 2 engagement is “an examination engagement to report on whether (a) the description of the service organization’s system is in accordance with the description criteria, (b) the controls were suitably designed to provide reasonable assurance that there service organization’s service commitments and system requirements were achieved based on applicable trust service criteria, and (c) in a type 2 report, the controls operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.”
Simply put, SOC 2 engagements assert on whether the controls were designed properly and operated effectively in accordance with the requirements imposed by the applicable trust services criteria. The SOC 2 includes 5 trust services criteria (TSCs) in which a report can attest on, including: security (always included), availability, processing integrity, confidentiality, and privacy. The last four mentioned are optional, but can be added depending on the service provided. SOC 2 reports are meant to satisfy the needs of all industries and their users’ that require assurance that information being housed or processed is secure and will not affect the security, availability, processing integrity, confidentiality, or privacy of their system, as applicable.
For more information on SOC 2 engagement details, check out another one of our posts, What is a SOC 2 Report? Expert Advice You Need to Know.
What is a HITRUST Engagement?
Health Information Trust Alliance (HITRUST) was founded in 2007 and is a “not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.”
Although the HITRUST Common Security Framework (CSF) is meant to be a framework for organizations across all industries, it was created after identifying a number of healthcare challenges such as the varying application of healthcare specific controls (such as HIPAA), ineffective controls due to inconsistent understanding of the control objectives, an increased focus on these issues from regulatory bodies, auditors, and customers, and finally the increase in data breaches and other system vulnerabilities being exploited. Generally speaking, the HITRUST framework is used by companies who in some capacity deal with electronic protected health information (ePHI).
As a way to provide more consistency to the industry, HITRUST created HITRUST CSF, which is a certification based on a regulatory compliance and risk management framework that includes a variety of standards. A few include HIPAA, COBIT, NIST, PCI, ISO, etc. Different requirements from these standards have been layered together to form a five-part control for each requirement which includes the existence of policies and procedures, the ability to prove its implementation and finally the company’s ability to prove that each control is measured and managed. For more detailed information on the HITRUST certification, check out our HITRUST Audit & Certification service.
SOC 2 vs. HITRUST: What’s the Difference?
One of the main differences between a SOC 2 and HITRUST CSF is that a SOC 2 is an attestation report, while a HITRUST review is accompanied with a certification. In an attestation report, management attests to the information presented to the users within the report and the independent party (the auditors) confirms theses attestations through an opinion.
Opinions can be unqualified or clean, qualified, or adverse. Qualified indicates that testing could not confirm at least one objective identified by management and adverse means that testing could not confirm the majority of objectives identified by management. A qualified report can still be relied upon, but should be followed up on with the company to determine whether proper remediation steps have been taken to address issues going forward. SOC 2 reports are completed on an annual basis and for Linford & Co, it generally takes anywhere from one to three months to complete and deliver the report, depending on how quick the SOC client can provide evidence needed to complete testing. Testing generally takes one to two weeks.
Unlike a SOC report, a HITRUST report comes with a certification. HITRUST is a much more detailed report with about five times the number of controls, incorporating requirements from the variety of standards (mentioned above) included within the HITRUST CSF framework. In a HITRUST report, management is required to submit a Letter of Representation from management which is used in lieu of the management assertion within the SOC report. A Letter of Representation is still gathered during a SOC report but is not presented within the final report.
Finally, the opinion is presented in the HITRUST report as a Letter of Certification or Letter of Validation depending on the final score of the assessment. See more information about the HITRUST specifics at HITRUST’s FAQ page. The HITRUST certification lasts two years with interim testing completed at the year mark. This testing is dramatically modified compared to testing completed in year one. In general, HITRUST testing takes longer to complete due to the increased number of controls, and costs about twice as much. This is all dependent upon the number of systems and size of the organization.
SOC 2 vs HITRUST & Mapping Options
When determining which report your company needs, the first consideration should always be the requirements being identified by clients, stakeholders, or service level agreements. As of today, HITRUST reports are mainly being adopted by data centers, applications, and platforms that house ePHI. With that being said, HITRUST is available to any industry who would like to incorporate the framework into their compliance program.
If having both reports is something your company is interested in, the HITRUST report does map to the controls needed to provide a SOC 2 opinion for the following trust service principles: security, confidentiality, and availability. Complete testing to maintain the SOC 2 opinion will still need to be completed annually, unlike the HITRUST certification. Another option is called the SOC 2 + HISTRUST CSF. In this scenario, the CPA firm can perform procedures to test the design and operation of the controls as they relate to both SOC 2 and HITRUST CSF. This report however, will not include a Letter of Certification, unless the CPA firm is also a HITRUST CSF assessor and the report has been certified by HITRUST.
SOC 2 vs. HITRUST Summary
Determining which report your company needs generally depends on a number of different variables such as time, budget, and need.
As mentioned above, the best first step is to understand the needs of your current or prospective clients, stakeholders, and reference the requirements outlined within any business agreements.
The next variable to consider is the type of industry your company falls into. If your company happens to store or process ePHI, considering HITRUST may make sense. Otherwise, it may make sense to start with a SOC 2 and transition as it makes more sense for your company.
Understanding the different reports can help you come to a conclusion about which report makes the most sense today and how to move forward in the future.
Check out the Linford & Company services page for a complete listing of services we provide and how to contact us with any questions your company has regarding SOC 2, HITRUST, or any of our other services.
 HITRUST CSF reports in this blog are assumed to be validated assessments completed by a HITRUST assessor.