As we’ve seen in other FAQs, the CSF is not a one-size-fits-all approach due to (1) an organization’s ability to tailor the initial selection of the control baseline in accordance with defined risk factors and (2) the requirement for additional tailoring based on unique threats, their specific environment, and the use of alternate controls. HITRUST simply requires organizations to justify their decisions to eliminate or modify the baseline.
The HITRUST CSF Assurance Program is no different. The only impact tailoring may have is the ability to receive a HITRUST Validated Assessment Report with certification as controls must meet certain implementation requirements (scores) for required controls. A HITRUST Validated Assessment Report without certification will provide the same level of assurance for the selected controls, while providing the transparency needed for those controls that were modified or not selected. The HITRUST CSF Assurance Program subsequently provides a common, consistent and repeatable means of assessing all types of organizations and sharing assurances with internal and external stakeholders, including regulators.
For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure.