Audit and Assurance

Expand all | Collapse all

HiTrust Certification vs SOC Type II Attestation

  • 1.  HiTrust Certification vs SOC Type II Attestation

    Posted 28 Feb, 2020 14:11
    I am well versed in SOC II audits and Attestation reports. Know of and have a good idea of HiTRUST. Question, can any of you give me an idea of how much additional effort it would be to change our current SOC II Attestation to one of a HiTrust Certification?? Don't need granular mapping because HiTrust offers that, but I am looking to quantify delta's for the commitment of changing at a high level.  Appreciate your insight so I can better understand the level of effort involved, thank you.

    ------------------------------
    James (Jim) Horton
    Senior Manager IT Security Governance, Risk & Compliance
    ------------------------------


  • 2.  RE: HiTrust Certification vs SOC Type II Attestation

    Posted 29 Feb, 2020 03:05
    HI JIM,
    you are one of the few with SOC 2 and attestation knowledge and experience. I am keen on learning and be familiar with it. Can you please direct me to the right reference material and any guidance from you,  is much valued.

    Thanks & regards

    Nalin

    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 3.  RE: HiTrust Certification vs SOC Type II Attestation

    Posted 02 Mar, 2020 09:58
    Nalin,  Hit me up in about a week so I can give you a better more in depth answer. I am just way too busy at this point to dive in deeper.

    ------------------------------
    James (Jim) Horton
    Senior Manager IT Security Governance, Risk & Compliance
    ------------------------------



  • 4.  RE: HiTrust Certification vs SOC Type II Attestation

    Posted 29 Feb, 2020 06:44

    Jim,

    it really depends on your system scoping. You should reach out to the CPA firm that does your SOC 2 (assuming they do HITRUST) or another CPA firm that does HITRUST. They will gather some information from you and determine how many controls you would be subjected to within the HITRUST framework - depending if you're only doing security or including privacy. From my experience, HITRUST is quite a bit of work as there is a manual aspect by your organization to type in all the responses for each requires control in the tool and meeting the detail characteristics of each control from each domain.



    ------------------------------
    Ben Phillips, CPA, CITP, CISA

    ------------------------------



  • 5.  RE: HiTrust Certification vs SOC Type II Attestation

    Posted 02 Mar, 2020 09:56
    Ben, Very helpful information regarding subject line. I agree with quite a bit of work, now I just have to quantify that amount of work I suppose, appreciate you taking the time from your busy day to help out a colleague.

    ------------------------------
    James (Jim) Horton
    Senior Manager IT Security Governance, Risk & Compliance
    ------------------------------



  • 6.  RE: HiTrust Certification vs SOC Type II Attestation

    Posted 01 Mar, 2020 04:22
    I have some working of SOC II too. I would like to know what are additional control elements required to be tested apart from those in trust principles

    ------------------------------
    Rama Venugopal
    Lead Auditor
    ------------------------------



  • 7.  RE: HiTrust Certification vs SOC Type II Attestation

    Posted 02 Mar, 2020 09:53
    Hi Rama,  If you join the HiTrust Alliance website, they will allow you to research and download material which will allow you to answer those questions you have. Also per note see Dale's answer below.

    ------------------------------
    James (Jim) Horton
    Senior Manager IT Security Governance, Risk & Compliance
    ------------------------------



  • 8.  RE: HiTrust Certification vs SOC Type II Attestation

    Posted 02 Mar, 2020 08:18
    Jim,

    I have seen this done two ways with regards to HITRUST and SOC II:

    1. SOC2 + HITRUST

    Within the HITRUST MyCSF there are 75 control statements that are 'required' for certification.  So no matter what scoping answers you give for HITRUST those 75 are always going to be among the controls that are considered in scope.  For the SOC2+HITRUST reports that I have seen, the entities have mapped their controls statements to those 75 required control statements in the MyCSF within their Section IV of the SOC 2.  The auditors then test those controls statements against not only the AICPA principles within the SOC 2 but also against the MyCSF, then once the SOC 2 is issued they include some language in Section I that their evaluation included procedures to include the MyCSF.  The CPA firm doesn't necessarily have to be a HITRUST assessor to issue a SOC 2 but there is some licensing and cost issues that they will have to figure out before then can issue a SOC2+HITRUST report.  I have not seen many SOC2+HITRUST reports but the ones I have seen followed this method.

    2. SOC2 and Validated Assessment - You do the SOC 2 and the Validated assessment at the same time, there is some scope overlap so as long as your auditor/HITRUST assessor has some experience doing this and your internal documentation is good this isn't to bad.  Just keep in mind the average SOC 2 has between 100 and 110 controls statements across the security criteria.  A minimally scoped HITRUST assessment has between 240 and 280 controls statements.  I have been through a few of these engagements as a HITRUST assessor,  they are actually fun but the additional controls added for the validation sometimes make this seem overwhelming or daunting.

    Let me know if you want to talk further or if you have any additional questions.  I could probably even walk you through what control statements would be in your HITRUST assessment, that would give you a solid number of additional controls over what you currently have in your SOC 2 (I assumed from your question you already have a SOC 2)

    Dale


    ------------------------------
    Dale Dresch
    IT Audit ManagerDale Dresch
    IT Audit Manager
    ------------------------------



  • 9.  RE: HiTrust Certification vs SOC Type II Attestation

    Posted 02 Mar, 2020 09:43
    Hi Dale,   Thank you so much for your detailed response and one of the better answers I have seen. I have been looking into this over the weekend and through the HiTrust Alliance Website and am aware of the different options but from coming straight from you allows more clarity in what I have been reading. Yes we do have a SOC II, have ones for several consecutive years, new customer is possibly wanting us to go the route of SOC 2 + HiTrust so I wanted to get a feel for the additional work involved. Appreciate your answer's ​and would like to request you as a connection for collaboration, thanks again.

    ------------------------------
    James (Jim) Horton
    Senior Manager IT Security Governance, Risk & Compliance
    ------------------------------