Guest blog by Leith Khanafseh, Managing Director, LCL & Compliance Products Development, Thoropass

Across my career as an auditor and compliance expert, one question is consistently raised by any company at any stage in any industry when they’re exploring to mature their compliance and security programs: What do I have to do?

And so, most of my professional relationships begin from a place of obligation. As an auditor, it’s my job not only to tell the company exactly what the bare minimum is but also what the benefits are by going above and beyond. Needless to say, companies get skeptical about the latter part, especially as time, budget, and business objectives are stretched and constantly evolving.

For that reason, many companies start with SOC 2 as an introduction to compliance audits. Because of its affiliation with the American Institute of Certified Public Accountants (AICPA), there is an instant credibility that comes with adopting this popular reporting framework.

But it’s the same reason HITRUST rolled out its e1 certification last year. While the HITRUST r2 was — and remains — a gold standard in demonstrating infosec posture, maturity, and compliance, the move to first offer the HITRUST i1 two years ago and then the e1 gave companies of all sizes and backgrounds the ability to begin taking steps to adhere to strict compliance standards.

Having a SOC 2 in hand makes HITRUST even more accessible. And having a single auditor acting as an external assessor for both frameworks can translate into tangible time and cost savings, allowing businesses to accelerate deals and actualize strategies.

Comparing SOC 2 and HITRUST

It can be hard to keep up, but SOC 2 is about as old as HITRUST. Both have established themselves as essential frameworks for companies doing business in the cloud.

SOC 2 compliance is a starting point for most companies. It is credited to the AICPA, concludes with a finite report, and is intentionally flexible to allow even newcomers to comply with setting up stage-appropriate programs. Having said that, SOC 2 has been seen as potentially limited in specific industries and markets because of its lack of prescription with respect to required controls.

This is where HITRUST’s three tiers of certifications can offer the next step. Introduced in 2023, HITRUST e1 contains 44 controls that largely overlap with those in SOC 2 (more on that in the next section). Meanwhile, i1 has 182 controls, and r2 has over 200 controls that can be molded to the business pursuing it.

It’s a big leap going from a flexible, less prescriptive reporting framework to hundreds of very prescriptive controls. Even I’d admit to a client that if they were going straight to HITRUST r2, the journey would be arduous and probably at least a year (if not more) in length.

Fortunately, smart companies don’t need to take this leap all at once.

Crossing from SOC 2 to HITRUST e1

The big secret about attaining HITRUST is that you don’t have to start from scratch. It’s like dunking a basketball using a ladder, except the ladder, in this case, is SOC 2 compliance.

On average, a SOC 2 audit can have anywhere between 45–60 controls (mainly depending on the coverage of a program and the Trust Services Categories in scope. Even still, it is not uncommon to match the majority of controls from a SOC 2 report to HITRUST e1’s 44 controls. On average, my colleagues and I at Thoropass have found that a SOC 2 audit gets you 90%+ to the evidence and controls required for e1.

Because HITRUST’s three tiers are a steppingstone approach and most of a company’s SOC 2 overlaps with an e1, those 44 controls can go into the i1 and eventually into the r2 (where a SOC 2 gets you up to ~60% of the way), should a company pursue that.

But many companies don’t even need an r2, at least not yet.

Both SOC 2 and HITRUST e1 contain essential controls that are near-universally accepted in business. Fortunately, the accessibility to these frameworks has improved over the last year. While a SOC 2 is not necessary to get an e1, the savings in time and money alone make the effort worthwhile. And that doesn’t even take into account the business advantages coming with it.

Benefit of a single audit for multiple frameworks

When businesses start a compliance journey out of obligation, they’re missing the point. More precisely, they’re missing the opportunity. By doing the bare minimum, they’re not only putting their company’s and customers’ data at risk but also overlooking how their business can grow, especially as they enter upmarket or new industries. With this movement, often, there are new requests for compliance and security assurances.

But no smart business should pursue a single compliance framework audit only one at a time. Audits already take time. A typical SOC 2 audit may take a few months; transitioning from SOC 2 to e1 may take another few months. These frameworks are valid for a year until a new audit must take place. Considering that an i1 may take up to 9 months to conduct and an r2 over a year, it’s inefficient to conduct new audits with new auditors each time a business scales its security program.

This is where HITRUST is unique and different from AICPA and SOC 2. While many CPAs conducting SOC 2 audits own the quality assurance process, HITRUST takes it further by centralizing the quality assurance process. HITRUST reviews the test work by an external assessor before issuing a certification, ensuring a consistent benchmarking of assessments across the board.

I believe in making audits as accessible as possible, especially for growing businesses. Our team at Thoropass holds licenses and accreditations to perform audits for all the major compliance frameworks, including acting as an external assessor for HITRUST, CPA capability for SOC 2, and QSAC capability for PCI DSS. This means a company can pursue multiple frameworks, starting with a single audit. Few assessors offer a comprehensive service, and even fewer offer fully automated compliance and audit software as we do.

This all ties back into business acceleration by baking the move from compliance to security into a company’s DNA. Instead of relying on an infinite loop of audits where resources are constantly taking up space, the synergies between SOC 2 compliance and HITRUST certification allow companies to look up from the daily diligence required of security teams and focus on hitting the next milestone.

It’s never too late to start

It’s not up for debate that more compliance is a better investment than less. However, organizations invest in it if it aligns with their resource realities.

Still, that shapes your compliance program around SOC 2 and HITRUST e1. I’ve seen firsthand how it can radically change a business’s outlook in a short period. Last summer, Thoropass began bundling SOC 2 and e1 together, and the response was electric. Not only did most companies see the value, they instantly started changing their budget and business goals for the following year. In most cases, it broke stalled deals out of ruts or opened up markets that companies didn’t think would be available for years to come.

While every audit and business plan is unique, what we’ve seen in this path from one of the most popular frameworks in the country to one of the most respected ones is that the new minimum was yesterday’s aspiration.