The SOC 1 has a completely different purpose than HITRUST. Typically a company would perform both if they are a TPA processing medical claims and other claims, where, there is responsibility for financial reporting and maintaining security over the information being handled.
This depends on how prepared and how many resources an Organization has to dedicate to the project. The first time through, usually a readiness assessment would be performed, and then
As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become
SOC 1 stemmed from the original SAS 70 report, which, once SSAE 16 was issued in April 2010, the formal report name was changed to being a SOC 1 report (but issued
SSAE-18 is effective for all reports issued after May 1, 2017.
SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer
Organizations that handle financial transactions, especially those impacting external financial statements, are good examples of those who need SOC1 audits.
SOC Reporting Guide