Multi-Framework

SOC 2, HIPAA & GDPR Control Crosswalk: Map Once, Satisfy Three Frameworks

A CPA firm's control-by-control crosswalk of SOC 2 Trust Services Criteria, the HIPAA Security Rule (45 CFR 164), and GDPR Article 32 — which evidence is reusable, and the privacy gaps you cannot map away.

The short answer

SOC 2, HIPAA, and GDPR share a large security core — access control, encryption, audit logging, incident response, and vendor risk map cleanly across SOC 2 Common Criteria CC6–CC9, HIPAA 45 CFR 164.308/164.312, and GDPR Article 32. Most security evidence is reusable. But the three are different kinds of thing (a CPA attestation, a US statutory rule, an EU regulation), and each adds obligations the others don’t — HIPAA’s ePHI-scoped rules and Business Associate Agreements; GDPR’s data-subject rights, RoPA, DPIAs, and transfer mechanisms. Map the overlap once; treat the gaps as framework-specific overlays.

Key takeaways

  • The security core cross-maps tightly. SOC 2 CC6–CC7, HIPAA 45 CFR 164.312, and GDPR Art. 32 all demand access control, encryption, logging, and incident response — one evidence set can satisfy all three.
  • The gaps do not transfer. HIPAA needs Business Associate Agreements and ePHI-scoped risk analysis; GDPR needs a lawful basis, data-subject rights (Arts. 15–22), RoPA (Art. 30), DPAs (Art. 28), DPIAs (Art. 35), and transfer safeguards. Neither is covered by SOC 2 security.
  • A SOC 2+ report maps SOC 2 to a second framework in one CPA examination — it is assurance of alignment, not a HIPAA attestation, a GDPR certificate, or an ISO 27001 certificate.
  • Breach clocks differ. GDPR Art. 33 is “where feasible, within 72 hours of becoming aware”; HIPAA is “no later than 60 calendar days from discovery.” Build one incident process to the tighter clock.
  • HIPAA rules may tighten. An HHS NPRM (published 6 Jan 2025) proposes to end the Required/Addressable distinction and mandate encryption and MFA — not finalized as of July 2026.

TL;DR — what overlaps, what doesn’t

If you already run a SOC 2 audit against the Trust Services Criteria, you have built most of the technical security controls that HIPAA and GDPR also demand. In our coordinated examinations, the reusable core is consistent: identity and access management, encryption in transit and at rest, centralized logging and monitoring, formal change management, vulnerability management, and vendor due diligence. That work carries over. What does not carry over is the paperwork and rights machinery unique to each regime — and that is exactly where teams over-claim coverage and get caught in enterprise diligence.

The honest framing is: SOC 2 gives you a large head start on HIPAA’s safeguards and on GDPR’s security of processing — but not on HIPAA’s Business Associate Agreements or GDPR’s privacy-governance duties. This guide gives you the control-by-control crosswalk, a shared-evidence matrix, and the specific gaps to flag rather than paper over.

The three frameworks are not the same kind of thing

Before mapping controls, separate the categories. A crosswalk fails the moment someone treats a SOC 2 report as if it “certifies” HIPAA. SOC 2 is a CPA attestation performed under the AICPA’s attestation standards (SSAE 18, with concepts in AT-C section 105 and the examination performed under AT-C section 205) that results in an independent auditor’s opinion. HIPAA is a US statutory rule enforced by HHS’s Office for Civil Rights — there is no government-issued HIPAA certificate; compliance is self-determined and demonstrable through documentation and, optionally, third-party assessment. GDPR is an EU regulation whose compliance is shown through accountability documentation, not a single certificate.

Framework at a glance — SOC 2 vs HIPAA vs GDPR (with ISO 27001 for reference)
DimensionSOC 2HIPAA (Security Rule)GDPRISO 27001:2022 (ref.)
Governing body / standardAICPA — SSAE 18 / TSP section 100HHS OCR — 45 CFR Part 164EU / EDPB — Reg. (EU) 2016/679ISO/IEC — 27001:2022 + Annex A
Legal statusVoluntary attestationStatutory rule (mandatory for covered entities/BAs)Regulation (mandatory)Voluntary certification
OutputIndependent CPA opinion reportNo certificate — self-determined (+ optional 3rd-party)Accountability documentationAccredited certificate
Scope of dataAny system data in scopeElectronic protected health information (ePHI)Personal data of EU/EEA data subjectsInformation in the ISMS scope
AssessorLicensed CPA firmSelf or third-party assessorController/processor; DPA on enforcementAccredited certification body
Renewal cadenceAnnual (rolling observation periods)Ongoing; risk analysis kept currentOngoing accountability3-year cycle + annual surveillance
Breach clockNot applicable≤ 60 calendar days from discovery72 hours where feasible, from awarenessNot prescribed
Territorial triggerBuyer/contract drivenUS covered entities & business associatesProcessing EU personal data / targeting EUOrganizational choice

This matters commercially. A buyer’s security team may accept your SOC 2 report as evidence of your control environment, but their legal team will still want a signed Business Associate Agreement (for PHI) or a Data Processing Agreement (for EU personal data). Those are contractual obligations that no attestation replaces. For financial-reporting controls, note that SOC 1 / ICFR is a separate report and is out of scope for this security-focused crosswalk.

The master crosswalk: SOC 2 TSC ↔ HIPAA 45 CFR 164 ↔ GDPR Article

The table below is the centerpiece. It maps each control domain to its SOC 2 Trust Services Criteria identifier, the corresponding HIPAA Security Rule section in 45 CFR 164, and the relevant GDPR article, then states the shared control and the single reusable evidence artifact. The final column flags the framework-specific overlay you still owe.

A note on methodology: defensible crosswalks route through a neutral control spine rather than asserting one-to-one matches. NIST SP 800-53 and the NIST Cybersecurity Framework 2.0 are the common anchors most GRC tooling uses; ISO/IEC 27001:2022 Annex A is the credential many EU processors present for GDPR. Where a mapping is approximate, we say so. HIPAA implementation specifications marked † Addressable are currently addressable (not optional — you must implement or document why an alternative is reasonable); see the regulatory-status note after the table.

Master control crosswalk — security core shared across SOC 2, HIPAA & GDPR
Control domainSOC 2 TSCHIPAA (45 CFR)GDPRShared control & reusable evidenceFramework-specific overlay
Access controlCC6.1164.312(a)(1)Art. 32; Art. 5(1)(f)Logical access restricted to authorized users — access-control policy + system config exportHIPAA scopes to ePHI systems specifically
Unique user IDsCC6.1164.312(a)(2)(i) (Required)Art. 32Every user has a unique identifier — IdP user list
Authentication / MFACC6.1, CC6.2164.312(d)Art. 32Identity verified before access — MFA configuration screenshotProposed HIPAA rule would mandate MFA (not final)
User provisioning / de-provisioningCC6.2, CC6.3164.308(a)(4) (info access mgmt)Art. 32Access granted/revoked on role change — onboarding/offboarding tickets
Least privilege / RBACCC6.3164.308(a)(4); 164.312(a)(1)Art. 5(1)(c); Art. 32Access limited to job need — periodic access review exportGDPR adds data-minimisation intent
Encryption in transitCC6.7164.312(e)(1); (e)(2)(ii)†Art. 32(1)(a)TLS enforced on data in motion — TLS/endpoint config† Addressable under current rule
Encryption at restCC6.1, C1.1164.312(a)(2)(iv)†Art. 32(1)(a)Stored data encrypted — storage/KMS encryption config† Addressable; proposed rule would mandate
Boundary / threat protectionCC6.6, CC6.8164.308(a)(5)(ii)(B) (malware)Art. 32Perimeter and anti-malware controls — firewall/EDR config
Audit logging & monitoringCC7.1, CC7.2164.312(b) (audit controls)Art. 32; Art. 5(2)Activity logged and reviewed — SIEM/log sample + review record
Integrity controlsPI1.x, CC7.1164.312(c)Art. 5(1)(f); Art. 32Data protected from improper alteration — integrity/hashing config
Incident detection & responseCC7.3, CC7.4164.308(a)(6) (security incident procedures)Art. 32; Art. 33/34Incidents detected, evaluated, responded — IR plan + incident postmortemBreach-notice triggers & clocks differ (see below)
Breach notification— (not a TSC)164.400–414 (≤ 60 days)Art. 33 (72h) / Art. 34Notification workflow — breach register + notice templatesSOC 2 has no notification requirement; run to the 72h clock
Change managementCC8.1164.308(a)(8) (evaluation)Art. 32(1)(d)Changes reviewed, tested, approved — change tickets w/ approvals
Vulnerability mgmt & pen testingCC4.1, CC7.1164.308(a)(8) (evaluation)Art. 32(1)(d) “regularly testing”Regular testing/evaluation of effectiveness — pen test report + scan outputProposed HIPAA rule would mandate annual pen test / scans
Risk assessmentCC3.1–CC3.4164.308(a)(1)(ii)(A) (risk analysis)Art. 32; Art. 35 (DPIA)Documented risk assessment — risk analysis reportGDPR DPIA is triggered by high-risk processing (Art. 35)
Workforce trainingCC1.4, CC2.2164.308(a)(5) (awareness & training)Art. 39 (awareness)Security training delivered & tracked — training completion log
Vendor / subprocessor riskCC9.2164.308(b)(1) (BA contracts)Art. 28 (processor / DPA)Third parties assessed & contracted — vendor register + signed BAA/DPABAA (HIPAA) and DPA (GDPR) are distinct legal instruments
Availability & resilienceA1.1–A1.3164.308(a)(7) (contingency plan)Art. 32(1)(b),(c)Backups & recovery tested — backup restore test record + BCP/DR plan
Physical securityCC6.4 (physical access)164.310 (physical safeguards)Art. 32Facility/device access controlled — data-center attestation / badge logsCloud shifts this to provider CUECs
Data retention & disposalC1.2, CC6.5164.310(d)(2) (media disposal)Art. 5(1)(e); Art. 17Data retained & destroyed per policy — retention schedule + disposal recordGDPR adds storage-limitation & erasure duty
Confidentiality classificationC1.1— (implicit)Art. 5(1)(f)Data classified & handled by sensitivity — data classification policy
Data subject rightsP5.x (partial)— (HIPAA has its own patient rights)Arts. 15–22Process to fulfil access/erasure/portability requestsGDPR-specific — not covered by SOC 2 Security
Records of processing (RoPA)P1.x (partial)Art. 30Inventory of processing activitiesGDPR-specific — no SOC 2/HIPAA analogue
Lawful basis / consentP2.x, P3.x (partial)Art. 6; Art. 7Documented lawful basis & consent captureGDPR-specific
International transfersArts. 44–49Transfer mechanism in place (DPF or SCCs + TIA)GDPR-specific (see divergence section)

Regulatory-status note (dated July 1, 2026). The rows above reflect the HIPAA Security Rule as currently in force: technical safeguards live at 45 CFR 164.312 and several implementation specifications — including encryption/decryption and automatic logoff — are Addressable, meaning you must implement them or document a reasonable alternative. HHS published a Notice of Proposed Rulemaking on 6 January 2025 that would eliminate the Required/Addressable distinction and make measures such as encryption at rest and in transit, MFA, and network segmentation mandatory. As of this update the NPRM is not finalized, it missed its spring-2026 target, and more than 100 provider groups have asked HHS to withdraw it, citing (among other things) HHS’s own roughly $9 billion first-year cost estimate. Treat the † Addressable cells as current law, but design toward the proposed baseline, because encryption and MFA are best practice regardless.

Where the frameworks diverge — the gaps you cannot map away

The most common and most damaging mistake is assuming that because the security core overlaps, the whole framework is covered. It is not. In real coordinated examinations, the controls that most often fail to transfer are the governance and rights obligations that live entirely outside SOC 2’s security scope. The table below is the object to reference when a questionnaire asks “does your SOC 2 cover HIPAA/GDPR?”

Overlap vs gap — what each framework actually requires
Requirement areaSOC 2?HIPAA?GDPR?Why it does / doesn’t transfer
Access control, encryption, loggingYes (CC6/CC7)Yes (164.312)Yes (Art. 32)Same technical intent — evidence is fully reusable
Risk assessmentYes (CC3)Yes (164.308(a)(1))Yes (Art. 32/35)Reusable, but HIPAA must be ePHI-scoped and GDPR high-risk processing triggers a DPIA
Incident responseYes (CC7.3/7.4)Yes (164.308(a)(6))Yes (Art. 33/34)Same control; notification triggers/clocks differ (72h vs 60d)
Vendor managementYes (CC9.2)Yes (164.308(b)(1))Yes (Art. 28)Due diligence transfers; the contract (BAA vs DPA) does not
Business Associate AgreementNoYesNo (DPA instead)HIPAA-specific legal instrument for PHI handling
ePHI-scoped safeguardsPartialYesNoHIPAA applies to a defined data class; SOC 2 scope is broader/optional
Data subject rights (access/erasure)Partial (P5)No (own patient rights)Yes (Arts. 15–22)GDPR grants individuals enforceable rights SOC 2 security doesn’t address
Lawful basis & consentNoNoYes (Arts. 6–7)Uniquely GDPR — a legal ground for processing
Records of Processing (RoPA)NoNoYes (Art. 30)Documentation duty with no analogue elsewhere
DPIANoNoYes (Art. 35)Triggered by high-risk processing; SOC 2 risk assessment isn’t a substitute
International data transfersNoNoYes (Arts. 44–49)Requires an adequacy/DPF or SCCs + transfer impact assessment

HIPAA-only: ePHI and the BAA chain

HIPAA’s safeguards apply specifically to electronic protected health information, and its Privacy Rule (45 CFR Part 164, Subpart E) governs uses and disclosures that SOC 2 never touches. If you handle PHI on behalf of a covered entity, you are a business associate and must sign a Business Associate Agreement under 164.308(b)(1) — and flow equivalent terms down to your own subprocessors. A SOC 2 report can evidence the safeguards behind that BAA, but it cannot be the BAA.

GDPR-only: rights, records, and transfers

GDPR’s privacy-governance obligations have no SOC 2 or HIPAA equivalent. You need a documented lawful basis (Art. 6), a way to honour data-subject rights (Arts. 15–22), Records of Processing Activities (Art. 30), Data Processing Agreements with processors (Art. 28), and Data Protection Impact Assessments for high-risk processing (Art. 35). On transfers, the 2026 reality is that the EU-US Data Privacy Framework (the European Commission’s July 2023 adequacy decision, upheld by the EU General Court on 3 September 2025) lets a US organisation that self-certifies to the DPF receive EU personal data without additional safeguards. For recipients not DPF-certified, Standard Contractual Clauses plus a transfer impact assessment remain the fallback (Arts. 44–49). The DPF’s durability carries residual risk tied to US surveillance law (Section 702 FISA), so many teams keep SCCs ready as a backstop.

Collect once, satisfy many — the shared-evidence matrix

The operational payoff of a crosswalk is evidence reuse. Instead of collecting an access review three times for three audits, you collect it once and tag it to all three frameworks. The matrix below shows which artifact proves which requirement, how often to collect it, and who owns it. Pair it with disciplined audit evidence management so every artifact is complete, timestamped, and attributable.

Shared-evidence matrix — one artifact, multiple frameworks
Evidence artifactSOC 2HIPAA (45 CFR)GDPRFrequencyOwner / system of record
Access review exportCC6.1–6.3164.308(a)(4)Art. 32QuarterlyIT / IdP
MFA configuration screenshotCC6.1164.312(d)Art. 32Annually + on changeSecurity / IdP
Encryption config (transit & rest)CC6.7, C1.1164.312(e)(1), (a)(2)(iv)Art. 32(1)(a)Annually + on changeEngineering / cloud
SIEM / audit log sample + reviewCC7.1–7.2164.312(b)Art. 32, 5(2)Continuous / monthly reviewSecurity / SIEM
Incident postmortem & breach registerCC7.3–7.4164.308(a)(6); 164.400–414Art. 33/34Per incidentSecurity / IR tool
Change ticket with approvalsCC8.1164.308(a)(8)Art. 32(1)(d)Per changeEngineering / ticketing
Penetration test report + scan outputCC4.1, CC7.1164.308(a)(8)Art. 32(1)(d)Annually (min.)Security / testing vendor
Risk analysis reportCC3.1–3.4164.308(a)(1)(ii)(A)Art. 32/35Annually + on major changeCompliance / GRC
Vendor register + signed BAA/DPACC9.2164.308(b)(1)Art. 28On onboarding + annual reviewLegal / procurement
Backup restore test recordA1.2164.308(a)(7)Art. 32(1)(c)Semi-annuallyEngineering / infra
Security training completion logCC1.4, CC2.2164.308(a)(5)Art. 39Annually + onboardingPeople / LMS

GRC platforms such as Vanta, Drata, Secureframe, and Sprinto ship pre-built cross-mappings and automate much of this collection — “test once, satisfy many.” That tooling is genuinely useful for continuous monitoring. What it does not provide is the independent opinion a buyer’s procurement team ultimately relies on. Position a GRC tool as the evidence engine and a licensed CPA attestation as the assurance layer on top; the two are complementary, not competing.

How much of a head start does SOC 2 give you?

A mature SOC 2 (Security) program covers a large share of HIPAA’s technical and administrative safeguards, because CC6–CC8 map closely to 45 CFR 164.312 and 164.308. Vanta states that organisations already SOC 2 compliant “may be up to 65% of the way toward HIPAA compliance, based on controls cross-mapped in Vanta.” That is a useful directional benchmark — but it is a Vanta-tool-specific estimate, not an independent industry figure, so treat it as a competitor claim rather than a law of nature. The defensible way to talk about overlap is by safeguard family, not a single blended percentage.

Order of operations — which framework first, and what it unlocks
Your situationRecommended firstWhat it unlocks toward the othersHead-start (with caveat)
US SaaS selling to enterpriseSOC 2 (Security)Builds the security core reused by HIPAA 164.312/308 and GDPR Art. 32Large on security safeguards; none on BAAs or GDPR privacy duties
Healthtech handling PHISOC 2 + HIPAA (SOC 2+)One examination maps CC6–CC8 to 164.312/308; adds BAA + ePHI risk analysisVanta cites up to ~65% toward HIPAA from SOC 2 (tool estimate)
EU-facing / EU personal dataSOC 2 + GDPR readinessArt. 32 security satisfied by CC6/CC7; layer on RoPA, DPAs, DSR, transfersStrong on security; privacy governance is net-new
All three at onceCoordinated SOC 2+ examinationSingle control library + shared evidence; framework overlays added onceBiggest efficiency gain; still needs each framework’s unique docs

For a stage-by-stage view of sequencing as you grow, see our compliance roadmap from seed to Series C. If you are weighing dual financial-plus-security reporting, our note on when you need SOC 1 and SOC 2 together covers that adjacent decision.

What a SOC 2+ report is — and what it does not replace

Direct answer

A SOC 2+ report is an AICPA “SOC 2 report with additional subject matter”: one CPA examination that maps your SOC 2 Trust Services Criteria to an additional framework (commonly the HIPAA Security Rule, ISO 27001, or NIST) and reports on both in a single deliverable. It provides assurance of alignment from a licensed CPA — it is not a HIPAA attestation, a GDPR certification, or an ISO 27001 certificate, and it does not by itself produce a BAA or GDPR privacy documentation.

The value is efficiency and credibility: one scoping exercise, one evidence set, one fieldwork window, one report your buyers can read. Rather than running three disconnected projects, a coordinated examination tests the shared security core once and layers the framework-specific mappings on top. That is how a well-run audit methodology avoids the “audit fatigue” of collecting the same access review three times.

The guardrail matters because the central over-claim in this space is treating a SOC 2+ report as a HIPAA “certification.” There is no such thing — HIPAA is a statutory obligation with no government certificate. A SOC 2+ demonstrates that your controls align with HIPAA’s safeguards; you remain responsible for the BAA chain, ePHI-scoped risk analysis, and breach-notification obligations. For EU stakeholders who prefer an international assurance standard, the closest equivalent examination is ISAE 3000.

Build your unified control library in five steps

The mechanics of “map once, satisfy three” come down to a single control register that is framework-tagged and evidence-keyed. Here is the sequence we run in coordinated engagements.

  1. Scope the systems and data. Name the systems, cloud environments, and subprocessors in scope, and classify the data each touches (general data, ePHI, EU personal data). Scope drives everything downstream — getting it wrong cascades into the wrong controls and wrong evidence.
  2. Build one control register. Create a single list of controls with a stable ID and a role-based owner for each. Do not maintain separate SOC 2, HIPAA, and GDPR lists — that is where drift starts.
  3. Map each control to all three frameworks. Tag every control with its SOC 2 criterion, HIPAA CFR section, and GDPR article using the master crosswalk above. Flag the framework-specific overlays (BAA, RoPA, DSR, transfers) as their own controls so nothing is silently assumed “covered.”
  4. Define shared evidence and cadence. For each control, name the single reusable artifact, its collection frequency, and its system of record — the shared-evidence matrix above is the template. Add a pre-submission quality gate.
  5. Run coordinated audit cycles. Schedule one examination that tests the shared core once, then layers framework-specific testing. Feed findings back into the register so the next cycle is faster.

Common mapping mistakes

The failure modes below recur in nearly every first coordinated engagement. Each maps to a specific gap in the crosswalk.

  • Mapping only 164.312 and ignoring 164.308/164.310. HIPAA is broader than technical safeguards — administrative safeguards (risk analysis, workforce security, BA contracts) at 164.308 and physical safeguards at 164.310 must be mapped too, or your crosswalk covers a third of the rule.
  • Assuming SOC 2’s Privacy category equals GDPR. SOC 2 Privacy (P1.0–P8.0) only partially addresses GDPR. Data-subject rights (Arts. 15–22), lawful basis, RoPA (Art. 30), DPIAs (Art. 35), and transfers (Arts. 44–49) remain GDPR-only.
  • Treating a SOC 2+ report as a HIPAA certification. It is assurance of alignment, not a certificate, and never a substitute for a signed BAA.
  • Running one breach playbook that misses the 72-hour clock. A single incident-response control can satisfy both regimes only if it defaults to GDPR’s tighter “where feasible, within 72 hours of awareness” standard while also meeting HIPAA’s 60-day-from-discovery rule.
  • Citing SCCs as the only transfer mechanism. In 2026 the EU-US Data Privacy Framework is the primary route for DPF-certified US recipients; SCCs plus a transfer impact assessment are the fallback.

Frequently asked questions

Do SOC 2, HIPAA, and GDPR share the same controls?

They share a large security core but not everything. SOC 2’s Common Criteria (CC6–CC7), HIPAA’s 45 CFR 164.312 technical safeguards, and GDPR Article 32 all require access control, encryption, audit logging, and incident response, so most security evidence is reusable. HIPAA adds ePHI-specific rules; GDPR adds privacy obligations neither other framework covers.

How much of HIPAA does SOC 2 cover?

A SOC 2 (Security) program covers much of HIPAA’s technical and administrative safeguards because CC6–CC8 map closely to 45 CFR 164.312 and 164.308. Vanta estimates you may be up to 65% of the way toward HIPAA “based on controls cross-mapped in Vanta,” but SOC 2 alone does not satisfy Business Associate Agreements, ePHI-scoped risk analysis, or breach notice within 60 days.

Can one audit cover SOC 2, HIPAA, and GDPR?

Partly. A SOC 2+ report (an AICPA “SOC 2 report with additional subject matter”) lets one CPA examination map SOC 2 controls to HIPAA and GDPR criteria and share evidence, reducing duplicate work. It provides assurance of alignment but is not a HIPAA attestation, GDPR certification, or ISO 27001 certificate; GDPR still needs privacy-specific documentation.

Which GDPR requirements are NOT covered by SOC 2 or HIPAA?

GDPR-only obligations include lawful basis and consent, data subject rights (Articles 15–22), Records of Processing Activities (Article 30), Data Processing Agreements (Article 28), Data Protection Impact Assessments (Article 35), and international transfer mechanisms such as the EU-US Data Privacy Framework and SCCs (Articles 44–49). SOC 2 and HIPAA focus on security, not these privacy-governance duties.

What is the difference between HIPAA and GDPR breach notification timelines?

GDPR Article 33 requires notifying the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach. HIPAA’s Breach Notification Rule (45 CFR 164.400–414) requires notice without unreasonable delay and no later than 60 calendar days from discovery. A shared incident-response control satisfies both if it tracks the tighter 72-hour clock.

How do you map one control to SOC 2, HIPAA, and GDPR at once?

Build a single control library keyed to a shared evidence artifact, then tag each control with its SOC 2 criterion, HIPAA CFR section, and GDPR article. For example, MFA and access reviews satisfy SOC 2 CC6.1, HIPAA 45 CFR 164.312(a)(1) and (d), and GDPR Article 32 simultaneously, so one access-review export becomes evidence for all three.

Sources & references

  1. AICPA & CIMA — 2017 Trust Services Criteria (With Revised Points of Focus — 2022), TSP section 100.
  2. eCFR — 45 CFR 164.312, Technical safeguards, and 45 CFR Part 164, Subpart C (Security Rule).
  3. HHS.gov — Breach Notification Rule (45 CFR 164.400–414) and the 2025 HIPAA Security Rule NPRM fact sheet.
  4. gdpr-info.eu (Regulation (EU) 2016/679) — Article 32 (security of processing), Article 33, Article 28, and Article 30.
Sébastien Ruosch Reviewed by Sébastien Ruosch, CPA (US & Swiss licensed), Director of Audits at Auditsuisse. Last reviewed July 1, 2026.

Run one coordinated audit instead of three

Auditsuisse is a US & Swiss licensed CPA firm. We map your controls once across SOC 2, HIPAA, and GDPR, reuse a single evidence set, and issue a coordinated report — see our compliance audit services or book a scoping call to size a SOC 2+ examination.

Request Consultation
Back to top ↑