We are open & providing remote audit and compliance services during this national emergency.
Learn more about our Virtual Auditing Services during Covid 19

New White Paper: “The Complete Guide to Enterprise Risk Management” DOWNLOAD NOW
Listen to: "The HITRUST and SOC 2 Alignment Improves Efficiency"

Information security is a growing concern for many organizations, especially those that handle financial and healthcare information. Many such organizations are required to undergo a Service Organization Control (SOC) 2 examination in order to provide assurance that their security controls are designed and operating effectively. A SOC 2 examination focuses on one or more of the five Trust Service principles as specified by the American Institute of Certified Public Accountants (AICPA):

  1. Security: defines the system’s physical and logical controls against data theft or loss.
  2. Processing Integrity: relates to how a system processes information so that it is complete, accurate, timely and authorized.
  3. Availability: specifies when and how the information system is made available for authorized use.
  4. Confidentiality: describes protection of information designated as confidential per agreement.
  5. Privacy: addresses personal information that must be kept private in order to comply with established criteria, and with an organization’s privacy notice.

A service organization can undergo a SOC 2 examination of any one or all five trust services principles. For example, some software-as-a-service (SAAS) providers may need to address system availability, security, and integrity, but they might not have any privacy or confidentiality concerns. Healthcare organizations, on the other hand, are under increasing pressure to comply with privacy and confidentiality regulations.

Comparing the HITRUST Common Security Framework and SOC 2 Reporting

The Health Information Trust Alliance (HITRUST) created the CSF Framework for use by organizations that work with health information. The CSF was developed in collaboration with healthcare and security experts and has become the de facto standard for healthcare compliance. HITRUST has developed a standard report that provides a consistent representation of risk exposure, compliance posture and corrective actions that allow for benchmarking of results against industry best practices. The HITRUST CSF Framework and the SOC 2 reporting model are complementary since both are facilitated through the efficient assessment and implementation of controls to satisfy the CSF.

The “SOC 2 for HITRUST” Combined Reporting Model

HITRUST and the AICPA have collaborated to develop and publish a set of recommendations to streamline and simplify the process of leveraging the CSF for SOC 2 reporting. Because some service organizations have very specific reporting formats from which they may not deviate, it was important to implement an internal control reporting structure that is efficient, yet flexible. Mapping the HITRUST CSF to the AICPA SOC 2 Trust Principles and Common Criteria is a way to provide a reporting structure that is both efficient and flexible. Under this structure of reporting, the SOC 2 for HITRUST report becomes the default method of reporting that meets a diverse range of requests. HITRUST suggests engaging a CPA who also functions as a CSF Assessor in order to enjoy the efficiency of satisfying both needs in one step.

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 642-2230

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal