Home » ISO 27001, HITRUST and SOC 2 – What Are the Differences?

Publication date: October 20, 2022

ISO 27001, HITRUST and SOC 2 – What Are the Differences?

Compare and contrast

Share this content

Written by Angela Polania

Angela Polania, CPA, CISM, CISA, CRISC, HITRUST, CMMC RP. Angela is the Managing Principal at Elevate and board member, and treasurer at the CIO Council of South Florida.

In our industry, there is an endless assortment of compliance frameworks that result in certifications and audit reports you can give to your stakeholders – whether clients, vendors, investors, auditors, or regulatory agencies. When our clients ask Elevate about the differences between SOC 2, HITRUST, and ISO 27001 frameworks, we like to start with similarities to then understand the differences. After all, each of these frameworks require that companies adopt security and privacy controls in alignment with best practices, to mitigate risks or meet a specific objective.  

If it’s just security and privacy controls, what makes them different? 

Let’s begin with a high-level understanding of each and the types of clients that generally align with each framework. 

ISO (International Organization for Standardization) is an independent, non-governmental, international organization that develops standards to ensure the quality, safety, and efficiency of products, services, and systems. The ISO 27001 certification is specific to the effectiveness and continual improvement of the Information Security Management System (ISMS) and is generally pursued by companies with stakeholders internationally. It is widely recognized within and outside the US, as it is mapped to other frameworks like NIST and GDPR. 

The American Institute of CPAs (AICPA) is a professional organization for Certified Public Accountants (CPAs) in the United States that developed the auditing procedure for the Systems and Organization Controls 2 (SOC 2) examination. It defines criteria for managing systems, processes, or services on behalf of clients based on the five “trust service principles” of security, availability, confidentiality, processing integrity and privacy. This is generally pursued by technology providers, service providers or third-party administrators in the US. ISAE 3401 and 3000 are international equivalents for SOC 1 and 2 respectively, but not as widely known and accepted outside the US as ISO. 

HITRUST stands for the Health Information Trust Alliance, which is an organization founded in 2017 and governed by representatives of the healthcare industry. They developed a “HITRUST approach” and a framework to help organizations effectively manage data, information risk, and compliance. While HITRUST can be adopted by all industries, it is especially recognized in health care, for both public and private sectors. 

Now, let’s look at some of the key differences: 

Controls: The number of controls varies based on each organization (e.g., size, structure, boundary and scope definition), but generally speaking, SOC 2 has the least amount of controls, followed by ISO 27001, and finally HITRUST.  

ISO 27001: About 175 Controls in Scope (93 controls and 4 areas under scope – organization, technical, people, and physical) 

SOC 2: Generally less than 100 controls, unless Privacy is included 

HITRUST: 198 – 2,000 controls, depending on the organization’s profile and if r2 or i1 are chosen 

Audit Cycle: The audit-cycle varies from 6 months to 3 years depending on each framework – SOC 2 can have a 6-month, 9-month or 12-month cycle, while HITRUST’s i1 has a 1-year cycle, HITRUST’s r2 has a 2-year cycle, and ISO 27001 has a 3-year cycle. 

ISO 27001: 3-year cycle (1st year is a full audit, surveillance for 2nd and 3rd years) 

SOC 2: The client decides the length of coverage; it’s common to see 6 months, 9 months, or 12 months 

HITRUST: A 2-year cycle for r2 and a 1-year cycle for i1 

Sampling: Samples can be taken at a singular point in time or over a period of time – ISO 27001 and SOC 2 Type 1 are point in time audits, whereas SOC 2 Type 2 and HITRUST are over a period of time. The sample size during a point in time audit is smaller than a sample size over a period of time.  

ISO 27001: a point in time  

SOC 2: Type 1 – a point in time; Type 2 – a period of time 

HITRUST: Requires that controls are implemented for a minimum of 90 days, or 60 days for policies. 

Framework Mapping: The GDPR was created by the European Union as a privacy and security law for the purpose of regulating data privacy standards for any organization that collects data from anyone in the EU. In order to remain compliant with these standards, some organizations need to pass audits for the GDPR standards. Of these three frameworks, ISO 27001 and HITRUST map to GDPR.   

ISO 27001: Maps to GDPR and best practices 

SOC 2: No official mapping, but does incorporate best practices in alignment with other frameworks 

HITRUST: Maps to GDPR and best practices 

Perceived Level of Effort: We don’t recommend that clients take the path of least resistance, so we provide you with visibility into the options (e.g., cost, perceived level of effort, timelines, etc.) to help you choose the framework and implementation strategy that works best for your organization.  

ISO 27001: Least amount of effort of all three, but there is specific documentation and upkeep over the ISMS program 

SOC 2: Fewer controls than ISO 27001, but the sampling over a period of time for Type 2 requires a larger period of effectiveness for newly implemented controls. This option is still less effort than HITRUST 

HITRUST: The highest amount of effort. Potential to have up to 2,000 controls. Requires the use of HITRUST’s proprietary MyCSF platform and understanding HITRUST’s rubric and scoring. i1 is slightly less effort than R2 as it only audits the implementation stages. 

Pricing Factors & Maintenance: Below is a quick view of the services Elevate offers for each framework, from readiness, to remediation, to maintenance, along with components that impact pricing. 

ISO 27001:  

  • Readiness / Gap Assessment 
  • Consider boundary definition  
  • Consider specific ISO clauses included in the certification (e.g., ISO 27001, 27018, and 27701)
  • ISMS Internal Audit 
  • Audit Year 1 is generally the starting price 
  • Surveillance Years 2 and 3 will have a discounted price 
  • ISMS Risk Assessment  
  • Supplemental services such as Penetration Tests, Vulnerability Scans, Policy and Procedure Development, and other remediation activities 
  • Audit by External Assessor 

SOC 2:  

  • Readiness / Gap Assessment 
  • Consider boundary definition 
  • Consider which principles you would like to include, with security being the baseline to confidentiality, availability, and processing integrity being additional, to privacy being the most expensive 
  • Supplemental services such as Penetration Tests, Vulnerability Scans, Policy and Procedure Development, and other remediation activities 
  • Audit by External Assessor 

HITRUST:  

  • Consider the cost of the MyCSF Software licensing 
  • Readiness Assessment 
  • Consider boundary definition 
  • Consider the scope of controls as prescribed by the MyCSF Software 
  • Supplemental services such as Penetration Tests, Vulnerability Scans, Policy and Procedure Development, and other remediation activities 
  • ISMP Internal Audit 
  • Audit by External Assessor 
  • Audit Year 1 
  • Audit Year 2 

Still unsure which framework is right for your organization? Are you unclear about the steps your organization can take to prepare? Did you already start the process of a different framework and are second guessing if you made the right decision? Contact us and we will help you determine the best course of action!  

Related posts

Contact Elevate today to learn more about Insights

Elevate // +1 (888) 601-5351 // Monday to Friday 9am-6pm