Upcoming Webinar | AI Meets ISO: What Makes ISO 42001 Different from ISO 27001 & 27701 on August 14th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

SOC 2 vs. SOC 2 + HITRUST: Why Compliance with One Doesn’t Guarantee the Other Blog Feature
Brody Price

By: Brody Price

Print/Save as PDF

SOC 2 vs. SOC 2 + HITRUST: Why Compliance with One Doesn’t Guarantee the Other

Healthcare Assessments | SOC Examinations | HITRUST | SOC 2

Published: May 1, 2017

Last Updated: Jul 30, 2025

HITRUST Certification is a globally recognized program that validates an organization’s compliance with the HITRUST Common Security Framework (CSF). An alternative to obtaining a HITRUST CSF Certification is the SOC 2 + HITRUST report, which serves as a collaboration between HITRUST and the AICPA. 

Although both frameworks assess comparable principles, completing a SOC 2 audit does not ensure success with SOC 2 + HITRUST due to key differences in control definition, implementation, and evaluation. In this article, we’ll use a real-world example to break down the notable distinctions between SOC 2 and SOC 2 + HITRUST. This way, you’ll better understand how compliance with one framework doesn’t automatically ensure compliance with the other. 

SOC 2 Report vs. SOC 2 + HITRUST Certification 

A SOC 2 report requires that a service organization has sufficient control activities in place to address the Trust Services Principles and Criteria (TSPC) developed by the AICPA. However, there are no stipulations by the AICPA as to what those control activities have to be. As long as the criteria are satisfactorily addressed to align with the risks that a service organization has identified, a service organization has some flexibility with the controls they implement. 

That being said, SOC 2 + HITRUST does not provide that same level of flexibility because HITRUST has predefined their control specifications, which have been mapped to the TSPC to which they apply as additional subject matter. This means that a control activity that was sufficient to satisfy a criterion for SOC 2 may not be sufficient for compliance with SOC 2 + HITRUST. A real-world example is the difference in password management requirements for each framework, as outlined below. 

Password Management Requirements in SOC 2 

The HITRUST control specification “01.d User Password Management” maps to TSP CC6.1 and CC6.6 for SOC 2 compliance. The criteria for CC6.1 and CC6.6 are as follows: 

  • CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives. 
  • CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries. 

Note that TSPC CC6.1 and CC6.6 require logical access security measures to be in place, but they don’t specify any minimum requirements for the parameters. Therefore, the service organization has some flexibility as to what they feel are sufficient controls for their system, along with the commitments they make as an entity 

Password Management Requirements in SOC 2 + HITRUST 

The list below outlines the HITRUST control specifications, which must be examined for SOC 2 + HITRUST compliance. 

The following controls shall be implemented to maintain the security of passwords: 

  1. Password policies applicable to the organization’s information systems are documented and enforced through technical controls. 
  2. The organization changes all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts before deploying any new devices in a networked environment. 
  3. Authentication credentials are provided using a secure method. 
  4. User identities are verified prior to performing password resets. 
  5. Passwords are not included in any automated log-on process (e.g., stored in a macro or function key). 
  6. Users acknowledge receipt of passwords. 
  7. The organization has implemented the following controls to allocate and maintain the security of passwords:  
    1. Passwords are changed whenever there is any indication of possible system or password compromise 
    2. Default vendor passwords are altered following installation of systems or software 
    3. Temporary passwords are changed at the first log-on and require immediate selection of a new password upon account recovery 
  8. All passwords are encrypted during transmission and storage. 
  9. Users sign a statement acknowledging their responsibility to keep personal passwords confidential and to keep group passwords solely within the members of the group. 
  10. Temporary passwords are unique to an individual and are not guessable. 
  11. Password settings are configured to not display passwords in plain (or clear) text by default. 
  12. The organization must:  
    1. maintain a list of commonly used, expected, or compromised passwords 
    2. update the list of commonly used, expected, or compromised passwords at least every 180 days 
    3. update the list of commonly used, expected, or compromised passwords when organizational passwords are suspected to have been compromised, either directly or indirectly 
    4. verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly used, expected, or compromised passwords 
    5. allow users to select long passwords and passphrases 
    6. allow users to select passwords and passphrases containing spaces and all printable characters 
    7. employ automated tools to assist the user in selecting strong passwords and authenticators 
  13. The organization avoids the use of third-parties or unprotected (clear text) electronic mail messages for the dissemination of passwords. 

Note that specification 12 above requires an organization to update the list of commonly used, expected, or compromised passwords at least every 180 days. This becomes a minimum requirement for SOC 2 + HITRUST and would result in a deviation if the update was performed annually; whereas, if an organization were undergoing a SOC 2 and defined in their policies that an annual update was suitable for the organization’s risk level, the SOC 2 report would have no deviation. 

Moving Forward with SOC 2 or SOC 2 + HITRUST Compliance 

In short, each framework has differences in scope of what is assessed and includes a different level of flexibility in how those controls are examined. Hopefully the example above, which includes several HITRUST specifications, helps demonstrate that what would be sufficient for SOC 2 may not fully address the SOC 2 + HITRUST requirements. 

If your goal is to complete both SOC 2 and SOC 2 + HITRUST, you need to go beyond meeting general criteria. You’ll need to understand HITRUST’s control specificity, align your policies and configurations to HITRUST’s detailed implementation requirements, and conduct a readiness assessment that flags gaps early.  

If you’re ready to proceed with your SOC 2 Examination or SOC 2 + HITRUST Certification, or have additional questions about the differences, processes, or requirements involved, Schellman can help. Contact us today and we’ll get back to you shortly.  

In the meantime, discover additional insights in these helpful resources:  

About Brody Price

Brody Price is a Technical Lead at Schellman in Atlanta, GA. Prior to joining Schellman in 2021, Brody worked as a Digital Assurance and Transparency Associate for a Big 4 audit firm, specializing in SOX and SOC compliance. In his role, Brody is focused primarily on HITRUST/healthcare compliance for organizations across various industries. Brody holds certifications including the CISSP, CISA, CCSFP, and CCSK.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.