No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms. Many of these are CPA firms. If the current firm you use for your SOC 2 is not on the list, we would encourage you to ask what their plans are related to becoming an authorized HITRUST CSF assessor. Some may already be going through the process.
References: Risk Management Frameworks, CSF Assurance Program Requirements, and Risk Analysis Guide
Post your comment on this topic.