The SOC 1 has a completely different purpose than HITRUST. Typically a company would perform both if they are a TPA processing medical claims and other claims, where, there is responsibility for financial reporting and maintaining security over the information being handled.
The availability criteria addresses how you go about ensuring the in-scope data and systems stay online and recoverability should go awry.
Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This
Depending on the size of your Company, you could look to another small business owner in a similar situation or trusted advisor to sit on each others board’s and create
As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.)
SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer
As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become
SOC Reporting Guide