Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?
The answer to this question is either. HITRUST has updated the SOC 2 + HITRUST guidance to illustrate how a SOC 2 + HITRUST CSF opinion could be based upon all 135 security CSF Controls or only those security controls required for Certification.
There are three (3) documents that have been updated to reflect this change:
• Mapping of the HITRUST CSF to the Trust Services Criteria;
• The Guidance/FAQ document; and
• The Illustrative management assertion and CPA opinion.