No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms. Many of these are CPA firms. If the current firm you use for your SOC 2 is not on the list, we would encourage you to ask what their plans are related to becoming an authorized HITRUST CSF assessor. Some may already be going through the process.

References: Risk Management Frameworks, CSF Assurance Program Requirements, and Risk Analysis Guide


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment