ControlMap

SOC 2 vs HIPAA

Side-by-side comparison of SOC 2 Type II and HIPAA Security Rule across 49 cybersecurity controls.

46
Shared
3
SOC 2 Only
0
HIPAA Only
0
Neither

Covered by Both (46 controls)

Controls recognized by both SOC 2 and HIPAA.

Gp Governance Policy
CC1.1, CC1.2, CC1.3 | §164.308(a)(1)(i), §164.316(a)
 Aw Awareness & Training
CC1.4, CC2.2 | §164.308(a)(5)(i), §164.308(a)(5)(ii)(A)
 Rm Risk Management
CC3.1, CC3.2, CC3.3 | §164.308(a)(1)(ii)(A), §164.308(a)(1)(ii)(B)
 Sc Supply Chain Risk
CC9.2 | §164.308(b)(1), §164.314(a)(1)
 Rr Roles & Responsibilities
CC1.3, CC1.4 | §164.308(a)(2), §164.308(a)(3)(i)
 Cm Compliance
CC2.1, CC4.1, CC4.2 | §164.308(a)(8), §164.316(b)(1)
 Am Asset Management
CC6.1 | §164.310(d)(1), §164.310(d)(2)(iii)
 Ra Risk Assessment
CC3.2, CC3.4 | §164.308(a)(1)(ii)(A)
 Be Business Environment
CC1.1, CC1.2 | §164.308(a)(1)(i)
 Da Data Classification
CC6.1, CC6.5 | §164.312(a)(1)
 Vn Vulnerability Mgmt
CC7.1 | §164.308(a)(1)(ii)(A), §164.308(a)(8)
 Ac Access Control
CC6.1, CC6.2, CC6.3 | §164.312(a)(1), §164.312(a)(2)(i)
 Mf Multi-Factor Auth
CC6.1 | §164.312(d)
 En Encryption
CC6.1, CC6.7 | §164.312(a)(2)(iv), §164.312(e)(2)(ii)
 Dp Data Protection
CC6.1, CC6.5, CC6.7 | §164.312(a)(2)(iv), §164.312(c)(1), §164.312(e)(1)
 Bk Backup & Recovery
A1.2, CC7.5 | §164.308(a)(7)(ii)(A), §164.310(d)(2)(iv)
 Pa Privileged Access
CC6.1, CC6.2, CC6.3 | §164.312(a)(1), §164.308(a)(3)(ii)(B)
 Fw Firewall / Net Seg
CC6.1, CC6.6 | §164.312(e)(1)
 Ep Endpoint Protection
CC6.8, CC7.1 | §164.308(a)(5)(ii)(B), §164.310(d)(1)
 Pm Patch Management
CC7.1 | §164.308(a)(1)(ii)(A), §164.308(a)(8)
 Cf Secure Config
CC6.1, CC7.1 | §164.310(d)(1), §164.312(a)(1)
 Ml Email Security
CC6.8 | §164.308(a)(5)(ii)(A), §164.312(e)(1)
 Ws Web Security
CC6.6, CC6.8 | §164.312(e)(1)
 Zt Zero Trust
CC6.1, CC6.3 | §164.312(a)(1)
 Mb Mobile Security
CC6.7 | §164.310(d)(1), §164.312(a)(1)
 Cl Cloud Security
CC6.1, CC6.7, CC7.1 | §164.308(b)(1), §164.314(a)(1)
 Wf WAF
CC6.6 | §164.312(e)(1)
 Dl DLP
CC6.5, CC6.7 | §164.312(a)(1), §164.312(e)(1)
 Sm Cont. Monitoring
CC7.1, CC7.2 | §164.312(b)
 Lg Logging & Audit
CC7.2, CC7.3 | §164.312(b), §164.308(a)(1)(ii)(D)
 Id Intrusion Detection
CC7.2 | §164.308(a)(1)(ii)(D), §164.312(b)
 An Anomaly Detection
CC7.2 | §164.308(a)(1)(ii)(D)
 Sg SIEM / SOC
CC7.2, CC7.3 | §164.308(a)(1)(ii)(D), §164.312(b)
 Ir Incident Response
CC7.3, CC7.4, CC7.5 | §164.308(a)(6)(i), §164.308(a)(6)(ii)
 Fn Forensics
CC7.4 | §164.308(a)(6)(ii)
 Co Communication
CC2.3, CC7.4 | §164.308(a)(6)(ii), §164.404(a)(1)
 Mt Mitigation
CC7.4, CC7.5 | §164.308(a)(6)(ii)
 Rp Reporting
CC2.3, CC7.3 | §164.308(a)(6)(ii), §164.404(a)(1), §164.408(a)
 Rc Recovery Planning
A1.2, A1.3 | §164.308(a)(7)(i), §164.308(a)(7)(ii)(B)
 Bc Business Continuity
A1.1, A1.2, A1.3 | §164.308(a)(7)(i), §164.308(a)(7)(ii)(C)
 Ll Lessons Learned
CC4.2, CC7.5 | §164.308(a)(8)
 Cr Comms & Restore
CC2.3, A1.2 | §164.308(a)(7)(ii)(C)
 Dr Disaster Recovery
A1.2, A1.3 | §164.308(a)(7)(ii)(A), §164.308(a)(7)(ii)(B)
 Ap API Security
CC6.1, CC6.6, CC8.1 | §164.312(a)(1), §164.312(e)(1)
 It Insider Threat
CC6.2, CC6.3, CC7.2 | §164.308(a)(3)(ii)(A), §164.308(a)(4)
 Vr Vendor Risk Mgmt
CC9.2, CC3.2 | §164.308(b)(1), §164.314(a)(1), §164.314(a)(2)(i)

Only in SOC 2 (3 controls)

Controls covered by SOC 2 but not HIPAA. Organizations using HIPAA should consider supplementing with these.

Ti Threat Intelligence
CC7.2
 Sd Secure Development
CC8.1
 Ds DNS Security
CC6.6

Summary: SOC 2 vs HIPAA

SOC 2 Type II and HIPAA Security Rule share 46 controls in common out of 49 total. SOC 2 uniquely covers 3 controls that HIPAA does not, including Threat Intelligence, Secure Development, DNS Security. HIPAA uniquely covers 0 controls that SOC 2 does not. Together, these two frameworks cover all tracked controls. For comprehensive cybersecurity coverage, organizations often adopt both frameworks or supplement with other frameworks.

Other Comparisons

NIST CSF 2.0 vs ISO 27001NIST CSF 2.0 vs CIS v8NIST CSF 2.0 vs SOC 2NIST CSF 2.0 vs PCI DSSNIST CSF 2.0 vs CMMCNIST CSF 2.0 vs 800-53NIST CSF 2.0 vs HIPAANIST CSF 2.0 vs GDPRISO 27001 vs CIS v8ISO 27001 vs SOC 2ISO 27001 vs PCI DSSISO 27001 vs CMMCISO 27001 vs 800-53ISO 27001 vs HIPAAISO 27001 vs GDPRCIS v8 vs SOC 2CIS v8 vs PCI DSSCIS v8 vs CMMCCIS v8 vs 800-53CIS v8 vs HIPAACIS v8 vs GDPRSOC 2 vs PCI DSSSOC 2 vs CMMCSOC 2 vs 800-53SOC 2 vs GDPRPCI DSS vs CMMCPCI DSS vs 800-53PCI DSS vs HIPAAPCI DSS vs GDPRCMMC vs 800-53CMMC vs HIPAACMMC vs GDPR800-53 vs HIPAA800-53 vs GDPRHIPAA vs GDPR
View Interactive Dashboard