HITRUST CSF and SOC 2 FAQs
What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?
Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?
The answer to this question is either. HITRUST has updated the SOC 2 + HITRUST guidance to illustrate how a SOC 2 + HITRUST CSF opinion could be based upon all 135 security CSF Controls or only those security controls required for Certification.
There are three (3) documents that have been updated to reflect this change:
- Mapping of the HITRUST CSF to the Trust Services Criteria;
- The Guidance/FAQ document; and
- The Illustrative management assertion and CPA opinion.