Assessors and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between the auditor/assessor and the organization before the final report is issued.

However, assessors actually have more leeway in assessing the effectiveness of an organization’s controls—and actually determining what those controls should be—when a framework like the HITRUST CSF is not used. Before an assessor can become a HITRUST-approved External Assessor organization, it undergoes a vetting process for their assessment methods and the experience and qualifications of its staff. They are also required to adhere to HITRUST guidelines for CSF assessments, and each validated or certified assessment undergoes a quality review by HITRUST to ensure consistency and repeatability regardless of the External Assessor doing the work.

For more information, refer to the External Assessor Datasheet.


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment