Can I use the HITRUST certification to replace my SOC 1 or SOC 2 report?

October 26, 2015 Greg Miller

Currently, HITRUST is not a replacement for SOC 1 or SOC 2 examinations. HITRUST and the AICPA have recently released a mapping document that identifies the CSF controls that are mapped to SOC 2 Trust Services Principles for Security, Availability, Processing Integrity, and Confidentiality.

Privacy requirements are expected to be mapped sometime in 2016 after AICPA releases its new revision to the Trust Services Principles. According to HITRUST, the AICPA and HITRUST are working on a combined HITRUST CSF – AICPA SOC 2 reporting structure to support dual assessment and reporting. More information can be obtained from A spreadsheet with the detailed SOC 2 to CSF mappings can also be found on the AICPA Website.

About the Author

Greg Miller

Greg Miller is a Principal at Schellman. Greg leads the HITRUST service line. Greg has more than 20 years of combined audit experience in both public accounting and private industry.

More Content by Greg Miller
Previous Article
Security Checkpoints In Your SDLC?
Security Checkpoints In Your SDLC?

My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good securit...

Next Article
Can An Organization Keep Using The Old TSPs?
Can An Organization Keep Using The Old TSPs?

My company completes SOC 2 audits annually, and have for the last several years based on the old trust crit...