Can I use the HITRUST certification to replace my SOC 1 or SOC 2 report?

October 26, 2015

Currently, HITRUST is not a replacement for SOC 1 or SOC 2 examinations. HITRUST and the AICPA have recently released a mapping document that identifies the CSF controls that are mapped to SOC 2 Trust Services Principles for Security, Availability, Processing Integrity, and Confidentiality.

Privacy requirements are expected to be mapped sometime in 2016 after AICPA releases its new revision to the Trust Services Principles. According to HITRUST, the AICPA and HITRUST are working on a combined HITRUST CSF – AICPA SOC 2 reporting structure to support dual assessment and reporting. More information can be obtained from www.aicpa.org. A spreadsheet with the detailed SOC 2 to CSF mappings can also be found on the AICPA Website.

Previous Article
Security Checkpoints In Your SDLC?
Security Checkpoints In Your SDLC?

My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good securit...

Next Article
Can An Organization Keep Using The Old TSPs?
Can An Organization Keep Using The Old TSPs?

My company completes SOC 2 audits annually, and have for the last several years based on the old trust crit...