Leveraging the HITRUST CSF® for SOC 2® Reporting
HITRUST® worked with the American Institute of CPAs (AICPA) to develop and publish guidance to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.
What is a SOC 2 report?
A SOC 2 report is intended to meet the needs of a broad range of users who need to understand internal control at a service organization as it relates to one or more of the American Institute of Certified Public Accountants’ (AICPA’s) Trust Services criteria of Security, Availability, Processing Integrity, Confidentiality or Privacy. These reports are performed using the AICPA Guide: SOC 2® Reporting on an Examination of Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the organization and its internal controls. A SOC 2 examination is similar in structure and general approach to SOC 1 reporting, but also allows the flexibility to incorporate additional suitable criteria, for example, around adherence to public, industry-specific frameworks such as the HITRUST CSF.
Increasing Demand for Third-Party Internal Control Reporting
Cybersecurity is at top of the mind for management, boards and regulators. And with the impact of regulatory oversight, organizations are under increasing pressure to demonstrate that they have taken appropriate measures to:
- Secure their environment;
- Be vigilant in anticipating what might occur in the evolving security landscape;
- Implement appropriate measures to detect and react to existing and emerging threats;
- Be resilient in their ability to recover operations when a security incident does occur.
Organizations are being asked with increased frequency to demonstrate that they meet the common security and privacy requirements such as NIST, ISO, HIPAA, PCI and other standards. They are often replying to more than 200 individual audit requests and customer questionnaires in response to request for proposals every year, many requiring a separate analysis and response to the same or overlapping questions. In addition, entities respond to these third-party requests in a multitude of forms and reporting formats. These requests may take the following:
“We need to see your……HITRUST Self-Assessment Report.”
…HITRUST Verified Report.”
…HITRUST Certified Report.”
…responses to our questionnaire.”
…documented processes and procedures.”
…SOC 2 report.”
Although HITRUST has worked to establish an industry-accepted standard of reporting, various customers request multiple reporting formats. Therefore, organizations need to be prepared to efficiently respond to all types of requests.
What is the answer?
Given SOC 2 is a reporting format and not a security framework, the best answer is to issue a SOC 2 report on the HITRUST CSF control requirements, using these requirements as the basis of your organization’s cybersecurity and information protection program. To support this approach, the AICPA’s Trust Services Criteria has been aligned to the HITRUST CSF, which provides standard and comparable requirements for use in SOC 2 reporting.
“I thought HITRUST would meet my third-party reporting needs”
HITRUST has developed a standard report that provides a consistent representation of risk exposure, compliance posture and corrective actions that allow for benchmarking of results against security practices at similar organizations in the industry. However, as noted previously, requests come in for other reporting attributes, such as response to security questionnaires, requests for proposals, description of processes and controls implemented to satisfy the HITRUST CSF, and assurance that controls have operated, as designed, for a fixed and continuous period of time (e.g., a rolling six- or twelve-month reporting cycle). Therefore, the HITRUST reporting model and the SOC 2 reporting model are complementary since both are facilitated through the efficient assessment and implementation of controls to satisfy the CSF.
Determine the most efficient and effective method(s) of internal control reporting
Knowing that some third-parties will have very specific reporting formats from which one may not deviate, it is important to implement a third-party internal control reporting structure that is efficient, yet flexible. Mapping the HITRUST CSF to the AICPA Trust Services Criteria used in SOC 2 reporting is a way to provide that efficient and flexible structure. Under this structure of reporting, the SOC 2 + HITRUST report becomes the default method of reporting to meet the widest range of requests.
For those third parties wanting to determine your maturity against the HITRUST CSF, HITRUST has self-assessment, validated or certified reports available. In the case of HITRUST validated or certified reports, you can engage an approved HITRUST CSF Assessor firm that is also a CPA firm, thereby gaining the efficiency of testing once to satisfy both HITRUST and SOC 2 reporting needs.
Lastly, for those third-parties requiring specific responses in their pre-defined format (e.g., security questionnaires), you can map your SOC 2 HITRUST controls as responses to specific questions the third-party may be requesting, with the full SOC 2 report as a supporting reference document.
What resources are available to support SOC 2 + HITRUST reporting?
There are a number of resources available that can be leveraged when performing SOC 2 + HITRUST examinations. One that was already mentioned was the AICPA Guide on SOC 2 reporting available from the AICPA. A copy of this Guide is available from the AICPA website.
Additional HITRUST resources include a FAQ document that provides additional background on the HITRUST and AICPA collaboration, the various reporting options available, and a list of frequently asked questions. Another resource is an illustrative management assertion and CPA opinion (template) when issuing a SOC 2 + HITRUST report.
The last resource is a mapping of the HITRUST CSF to the Trust Services Criteria and consists of multiple mappings, driven by the version of the AICPA Trust Service Criteria and the version of the HITRUST CSF framework upon which management is making its assertion. Currently there are mappings of the HITRUST CSF versions 8 and 9 to the 2016 Trust Services Criteria and a mapping of the HITRUST CSF version 9 to the 2017 version of the Trust Services criteria.
Below are links to the HITRUST documents:
HITRUST CSF and CSF Assurance Programs for SOC2 Reporting: FAQs
Illustrative Assertion and Opinion for a SOC 2 + HITRUST Report
Mapping of 2017 Trust Services Criteria to HITRUST CSF v9 & 9.1
Mapping of 2016 Trust Services Criteria to HITRUST CSF v9 & 9.1
Mapping of 2016 Trust Services Criteria to HITRUST CSF v8 & 8.1
If you have additional questions on SOC 2 + HITRUST CSF reporting, you can reach out to firstname.lastname@example.org.