What it is: A mapping between the HITRUST CSF requirements and AICPA’s Trust Services Categories and Criteria has been developed and made available to enable service organizations to provide information to users of their system about whether controls relevant to security, availability and confidentiality are suitably designed and operating effectively to meet the applicable trust services criteria (TSC) and HITRUST CSF requirements. This enables the service organization to communicate information about the processes and procedures it uses to meet the HITRUST CSF, in addition to the applicable TSC. This increases transparency and provides information for decision making.
What it is: This reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification.
Attribute | SOC 2 | HITRUST Certification | SOC 2 + HITRUST | SOC 2 + HITRUST CSF + CSF Certfication |
---|---|---|---|---|
Framework | AICPA TSC | Tes | A/C/P TSC and HITRUST CFS+ Certification | This reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification. Please contact us if you are considering this reporting option. |
Requires HITRUST scoping factors | NO | CSF Assesor | Yes | |
Independent third party examiner | CPA Firm | HITRUST Alliance | CPA Firm with valid licensure | |
Governing body for the report | AICPA | HITRUST Alliance | AICPA | |
Who prepares the report? | CPA FIRM | No | Yes | |
Incorporate SOC 2 Trust Services Criteria (TSC) | Yes | No | Yes | |
Allows Type 1 (point in time) explanation option | Yes | Yes | Yes | |
Requires a risk rating to be established for controls | Yes | No, but CorrectiveAction Plans are issued | Yes | |
Reporting control gaps (exceptions) | Yes (Type 2) | Yes (Type 2) | Yes (Type 2) | |
Allow for Corrective Action Plans | No | No | Yes | |
Requires a full scope examinations each year | Yes | Yes | Yes | |
List of attestation | 1 year | 2 years, plus an interim review within 1 year | 1 year |
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
Our Thoughts On
What does 23andMe’s bankruptcy and potential sale mean for your genetic data? 23andMe was once a leading genetic testing company,…
Read More >Beware the Ides of March… or in this case, suspicious emails if you’re one of the 1.8 billion Gmail accounts…
Read More >The Institute of Internal Auditors (IIA) has taken a significant step forward with the release of the Cybersecurity Topical Requirement…
Read More >Family emergency scams are on the rise and evolving thanks to AI. Who makes phone calls nowadays anyway? Scammers, that’s…
Read More >How can organizations prepare for and reduce the increased risk of fraud during employee layoffs? Layoffs are sometimes necessary for…
Read More >Email us: [email protected]
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and consulting services to public and private companies, not-for-profit organizations and global companies. We also offer risk advisory, transaction advisory, digital consulting, wealth management, retirement plan solutions and investment banking services. Schneider Downs serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), metropolitan Washington (DC) and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.
© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.
Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.
"*" indicates required fields