SOC 2 vs HITRUST i1

SOC 2 is a reporting framework developed and maintained by the American Institute of Certified Public Accountants (AICPA), and as such, a SOC 2 report can only be issued by a CPA firm, such as risk3sixty. The goal of a SOC 2 report is to help organizations demonstrate their security posture to relevant stakeholders such as customers, prospective customers, other auditors, and internal stakeholders.  For more on the nuances of SOC 2, including Trust Service Criteria, please visit our Learning Center.  Since it is a reporting framework where the criteria are defined, but not the controls, the assessed entity chooses the controls to be implemented and against which they will be measured.  Most CPA firms propose a set of baseline controls to meet the related criteria (typically 75-120+ unique controls), and we highly recommend assessed organizations customize their SOC 2 control set to reflect what they currently have in place and what they intend to implement to meet the SOC 2 criteria. There are two types of SOC 2 reports:

SOC 2 Type I report is the result of a “point-in-time” audit over the design of controls to meet the SOC 2 criteria and the fairness of presentation of the defined information system. This report describes the controls that are put into place but does not address their operating effectiveness over time.

SOC 2 Type II report includes the assessment over the design of controls and fairness of presentation, and in addition to that, covers a specified period of time that has elapsed in order to assess the operating effectiveness of the implemented controls over time.  In other words, how well did the controls perform throughout the examination period.  Most typically, this is a 12-month period, but firms going through their first Type II often begin with a 6-month Type II in order to obtain their first SOC 2 Type II more quickly.

While a SOC 2 Type II report is the gold standard in SOC 2 reporting and what clients are expecting to receive when they ask for it, due to the time-lag associated with obtaining a first SOC 2 Type 2, the SOC 2 Type 1 report is a good beginning report along a roadmap to SOC 2 maturity.  Most organizations requesting an organization’s SOC 2 report understand that roadmap and are willing to accept the SOC 2 Type I until the SOC 2 Type II is available.

HITRUST is an assessment process and certification governed by the HITRUST Alliance and based on ISO 27001 and NIST controls.  The HITRUST CSF framework is considered to be a Risk Management and Security Framework as opposed to the SOC 2 reporting framework, and as such, the controls are specified by HITRUST.  Prior to the i1 option being released in 2021, there was only the option to achieve HITRUST certification via the r2 assessment type, which control set was completely customized via HITRUST algorithm based upon an organization’s implemented system, attributes of that system, and risk factors, which could result in a control set made up of hundreds or thousands of controls (300-500+ is typical).

A HITRUST i1 (Implemented – One Year) Assessment is a new HITRUST certification offering and was released in late 2021.  It is made up of a standard set 219 prescriptive requirement statements (e.g. controls) which are measured for functional implementation.

 

SOC 2 vs HITRUST i1: Process

With that design context as a backdrop, below are important differences between the processes for getting a HITRUST i1 certification and obtaining a SOC 2 report.

Basic Steps for obtaining your first SOC 2 report include:

  • Initial gap assessment
  • Design of controls, based on the AICPA’s Trust Services Criteria (TSC)
  • Remediation of identified gaps
  • Development of the System Description
  • Completion of the SOC 2 Type I examination (good for one year)
  • Completion of the SOC 2 Type II examination (good for one year)

At a high level, the steps for obtaining your first HITRUST i1 report include:

  • Defining the environment in the scope of the assessment
  • Initial gap assessment against the fixed scope of 219 requirements
  • Remediation of identified gaps
  • Evidence collection by entity
  • Review of evidence by a Certified External Assessor (such as risk3sixty)
  • Submission to HITRUST via the HITRUST MyCSF portal
  • QA of evidence and certification issuance by HITRUST

The HITRUST i1 is often described as being roughly two-to-three times the level of effort as the SOC 2.

Again, most SOC 2 audits will cover 75 to 120+ unique controls, whereas the HITRUST i1 covers a fixed 219 requirements.

SOC 2 vs HITRUST i1: End Result

With a SOC 2 examination, the result will be a restricted prospect and client-ready report.  This report contains a description of the defined information system as well as the controls that support it.  The report is issued with an opinion from the auditor, also know as an attestation.  Note that a SOC 2 report is not a certification, and there is guidance and restrictions from the AICPA on the download and use of the SOC 2 logo for marketing purposes.

A HITRUST i1 will produce a report, and if the results of the assessment (across the 19 domains) is passing, then HITRUST will also issue a certification, good for 1 year.  This HITRUST certification is meant to demonstrate to prospects and clients the rigor the organization exercises in securing protected and/or covered information.

Conclusion

The business drivers for obtaining a SOC 2 report or a HITRUST i1 certification may be similar, but there are important distinctions between the two, which may cause an organization to consider one over the other or both. Here is a summary of some considerations:

Traditionally, a service organization elects to pursue SOC 2 for one or more of the following reasons:

  • An organization desires to improve its security posture and manage risk, and SOC 2 is a cost-effective, customizable and scalable approach to implement good security governance and internal control.
  • A prospect or client mandates it in a contractual agreement; it is table-stakes.
  • Prospective clients are asking about security or official certification during the sales cycle and having one is a differentiator.
  • Your team is over-burdened with security questionnaires or customer audits and may want to provide a SOC 2 report to organizations willing to accept that in lieu of burdensome questionnaires.

An organization typically elects to pursue a HITRUST certification for on or more of the following reasons:

  • Competitors have achieved the HITRUST CSF certification, and to compete in the market, it is now table-stakes (we see this a lot on the Healthcare industry)
  • Prospective clients, or investors, mandate that their business partners become HITRUST certified (driven by their own third-party risk management program)
  • To demonstrate that an organization’s information security program meets the gold-standard for information security assurance in the Healthcare Industry.

Bonus:  Did you know?

Did you know that you can combine a HITRUST i1 and a SOC 2 examination under a single audit?  Firms like risk3sixty, that are both a CPA firm AND a HITRUST Certified External Assessor are authorized to do this under an agreement between the AICPA and the HITRUST Alliance.  This approach can help to reduce the audit burden, reduce costs associated with pursuing both HITRUST i1 and SOC 2, and give firms a great way to demonstrate compliance with both frameworks!

Need help deciding what the best approach is for your information security program?  Reach out to our team of experts here and we will be happy to help!