No, and this is a common misconception. In many cases the overall assessment costs associated with information security and privacy assessments conducted under the HITRUST CSF Assurance Program are less than other third-party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a single CSF assessment report to support multiple objectives, such as a HIPAA risk assessment, an assessment against the NIST Cybersecurity Framework, and AICPA SOC 2® reports. In addition, the same report can be accepted by multiple external parties (such as business partners, government agencies), thereby reducing the costs in comparison with the multiple assessments organizations must normally support.
For a fair comparison of costs, one should consider various factors such as:
- Scope of the assessment: Are both assessments reviewing the same scope?
- Applicability of the control requirements to the environment: Are the controls requirements applicable to the organization or scope of assessment? Are they prescriptive and do they take into account relevant risk factors?
- Ability to audit: Does the framework have audit procedures to ensure consistency of assessment?
- Level of assurance: How well does the assessment and evaluation process ensure the control requirements are fully implemented?
- Caliber of organization performing assessment: Is the assessment being performed by a third party? What are the qualifications of the firm performing the assessment?