HITRUST CSF Reporting

SOC 2 + HITRUST CSF Report

What it is: A mapping between the HITRUST CSF requirements and AICPA's Trust Services Categories and Criteria has been developed and made available to enable service organizations to provide information to users of their system about whether controls relevant to security, availability and confidentiality are suitably designed and operating effectively to meet the applicable trust services criteria (TSC) and HITRUST CSF requirements. This enables the service organization to communicate information about the processes and procedures it uses to meet the HITRUST CSF, in addition to the applicable TSC. This increases transparency and provides information for decision making.

Benefits:

SOC 2 engagements are performed under the professional standards of the AICPA
It is substantially less expensive than obtaining a validated report and certification from HITRUST
It is often the preferred method of compliance reporting from organization's that perform third party risk assurance activities
Each organization's risk appetite is unique to them, so it's their decision to determine what level of third party assurance is necessary. If you're not sure whether your customers accept the SOC 2 + HITRUST CSF Report, ask your customers whether it will be sufficient to give them appropriate assurance of your controls.

HITRUST CSF Validated Report and Certification

This option is used when a service organization wants to provide its stakeholders with a HITRUST CSF certification report but does not choose to provide them with a SOC 2 report. This engagement is performed by an approved HITRUST CSF assessor based on the HITRUST CSF requirements. The engagement consists of an assessment that is submitted to HITRUST for evaluation. If the service organizationâs controls meet the HITRUST CSF requirements based on a determination by HITRUST, the result is the issuance of a certification report by HITRUST.

Benefits:

Validation is performed against all 135 control references
Assessment requirements are assessed based on the 5 PRISMA-based maturity levels (Non-Compliant, Somewhat Compliant, Partially Compliant, Mostly Compliant, Fully Compliant)
You receive a validated certification report, based on the assessor and HITRUST's evaluation and determination.

SOC 2 + HITRUST CSF + CSF certification

What it is: This reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification.

Attribute	SOC 2	HITRUST Certification	SOC 2 + HITRUST	SOC 2 + HITRUST CSF + CSF Certfication
Framework	AICPA TSC	Tes	A/C/P TSC and HITRUST CFS+ Certification	This reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification. Please contact us if you are considering this reporting option.
Requires HITRUST scoping factors	NO	CSF Assesor	Yes
Independent third party examiner	CPA Firm	HITRUST Alliance	CPA Firm with valid licensure
Governing body for the report	AICPA	HITRUST Alliance	AICPA
Who prepares the report?	CPA FIRM	No	Yes
Incorporate SOC 2 Trust Services Criteria (TSC)	Yes	No	Yes
Allows Type 1 (point in time) explanation option	Yes	Yes	Yes
Requires a risk rating to be established for controls	Yes	No, but CorrectiveAction Plans are issued	Yes
Reporting control gaps (exceptions)	Yes (Type 2)	Yes (Type 2)	Yes (Type 2)
Allow for Corrective Action Plans	No	No	Yes
Requires a full scope examinations each year	Yes	Yes	Yes
List of attestation	1 year	2 years, plus an interim review within 1 year	1 year