Authorized External Assessor Organizations and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between them and the organization before the final report is issued.

However, external assessors actually have more leeway in assessing the effectiveness of an organization’s controls—and actually determining what those controls should be—when a framework like the HITRUST CSF is not used. Before an external assessor can become a HITRUST Authorized External Assessor organization, it undergoes a vetting process for their assessment methods and the experience and qualifications of its staff. They are also required to adhere to HITRUST guidelines for CSF assessments, and each Validated Assessment undergoes a quality review by HITRUST to ensure consistency and repeatability regardless of the Authorized External Assessor Organization doing the work.

For more information, refer to the External Assessor Datasheet.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment