- Keeping your sensitive data and systems secure is critical to your organization’s success.
- SOC 2 and HITRUST are two ways to have your organization’s security practices evaluated, and while they have many similarities, there are essential differences to consider.
- Better understand your risk and bring confidence to those you serve, whether your goal is to obtain a SOC 2 report or HITRUST certification.
Data has become the most important asset for many organizations, so sharing that data in any capacity can bring significant risk. Service organizations that share, process, or store data for others understand the growing challenges of building a trusted relationship.
To help bring confidence to those you serve, System and Organization Controls (SOC) 2 and HITRUST assessments are recognized across many industries as ways to demonstrate quality, security, and privacy practices. But which framework is right for you, and what are the differences?
What are SOC 2 and HITRUST?
SOC 2 reports are designed to provide clients or customers of service organizations reasonable assurance that the internal controls and security practices are fairly presented and operating effectively. The reports outline whether the service organization meets the AICPA’s set of benchmarks known as “description criteria.” These criteria are used when preparing and evaluating the description of the service organization’s system in a SOC 2 examination.
Additionally, the AICPA’s “trust services criteria” evaluate whether controls over security, availability, processing integrity, confidentiality, and privacy were adequately designed and operated effectively over a period of time. The description criteria and the trust services criteria are the control frameworks that must be used in a SOC 2 examination.
SOC 2 reports are issued under the AICPA Statement on Standards for Attestation Engagements (SSAE), Assertion based-examination engagements. CPA firms must follow specific AICPA rules when conducting a SOC 2 engagement.
Remember, a SOC 2 is not a certification, but an attestation report.
HITRUST CSF certifications are issued by HITRUST Alliance, which was originally developed to help the health care industry manage information security and privacy risks — but has now expanded across a broad range of industries. The reporting framework for a HITRUST certification is the HITRUST CSF Assurance Program and the HITRUST Validated Assessment Report.
The HITRUST CSF was developed based on other standards and authoritative sources, such as ISO27001, NIST SP 800-53, and HIPAA, and now incorporates more than 40 regulations, standards, and frameworks. Assessments for HITRUST certifications are performed using HITRUST’s tool, MyCSF.
What is the scope of SOC 2 and HITRUST?
A SOC 2 includes the description criteria and five Trust Service Criteria. The Trust Service Criteria for security, also known as the common criteria, is the only required one of the five. The other four should be included as applicable to both the customer and client’s needs of the service organization.
Differences between SOC 2 report types:
|SOC 2 Type 1||SOC 2 Type 2*|
|Time period issued||As of a specific date||Covers a period of time|
|Opinion provided||Presentation and design of controls||Operating effectiveness of controls|
|A SOC 2 report can include other security or control frameworks, such as HIPAA, ISO27001, and even HITRUST CSF.|
The scope of a HITRUST is determined based on how an organization answers specific organizational, technical, and regulatory questions. Their responses are used to help scope and build a custom assessment with specific requirement statements.
HITRUST assessment requirement statements are organized into 19 domains designed to align with the structure of common security and risk management programs. One of the questions that greatly impacts the size of your HITRUST assessment is the number of health-related records your organization holds.
During a Validated Assessment, an organization scores its compliance on five maturity levels (policy, process, implemented, measured, and managed) for each requirement statement in scope.
What is the result of SOC 2 and HITRUST?
Despite the common misconception, SOC 2 is not a certification. A SOC 2 is an independent auditor report including an opinion issued by a CPA firm. The opinion can be unqualified, qualified, or adverse, similar to a financial audit opinion. A qualified opinion can still have deviations or exceptions noted within the results of tests performed by the auditor. The SOC 2 examination is typically performed every year, covering the full scope of applicable trust service criteria.
The result of a HITRUST Validated Assessment can be a certification, which is the goal for most organizations, or just the Validated Assessment report. The HITRUST certification is issued by HITRUST and not the external assessor firm.
To obtain the certification, your organization does not need a perfect score across all requirement statements, but needs to have an average score over a certain threshold on each of the 19 domains. For scores that fall below the threshold on specific requirement statements, a Corrective Action Plan may need to be documented to address the gap and improve the score going forward.
If a certification is achieved, it is good for two years with a few qualifiers. During the second year, an external assessor performs an interim assessment to test a random selection of requirement statements and determine that sufficient progress has been made on any Corrective Action Plans.
For any regulatory factors included in the HITRUST assessment, the result does not provide a certification from those regulatory authorities. For example, if you elected to include Cybersecurity Maturity Model Certification (CMMC), your HITRUST certification would demonstrate compliance with CMMC but you would not be issued a CMMC certification.
Which one is right for you?
Choosing an independent assessment to better understand your risk and to demonstrate quality, security, and privacy practices can be a challenging task. Start by assessing your contractual requirements with customers and clients to see if there is a specific type of assessment included. Consider your industry and the various applicable regulatory requirements for which you may have to demonstrate compliance.
If you are storing or processing electronic health information, HITRUST may be the best option. If you serve a broad range of industries or operate in a regulated industry such as financial institutions or governmental entities, then SOC 2 may better meet your needs. Both assessments have different costs and level of effort involved, so it is important to consider your budget and size.
How we can help
Understanding your data security risk is essential. If you are just beginning the journey down the HITRUST or SOC 2 path, our readiness assessment services can help outline your current state and provide a gap assessment to meet the goals of SOC 2 or HITRUST standards.
- Phillip Del Bello, Principal, CLA
Compliments of the CliftonLarsonAllen – a member of the EACCNY.