No, and this is a common misconception and in many cases the overall assessment costs associated with information security and privacy assessments are less than other 3rd party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a single CSF Assessment report to support multiple objectives, such as a HIPAA risk assessment and an assessment against the NIST Cybersecurity Framework, and in addition the same report can be accepted by external parties (such as business partners, government agencies) reducing the costs associated with multiple assessments.
For a fair comparison, one should consider various factors such as:
- Scope of the Assessment: Are both assessments reviewing the same scope?
- Applicability of the Control Requirements to the Environment: Are the controls requirements applicable to the organization or scope of assessment? Are they prescriptive and do they take into account relevant risk factors?
- Audit Ability: Does the framework have audit procedures to ensure consistency of assessment?
- Level of Assurance: How well is the process to ensure the control requirements implemented?
- Caliber of Organization Performing Assessment: Is It being performed by a 3rd party? What are the qualifications of the firm performing the assessment?