Skip to content

Policy/Program Change Details
HITRUST continues to recommend that “readiness assessments” be conducted for an organization’s entire HITRUST CSF-based information protection program, i.e., against all 135 security controls as scoped to their environment rather than only those controls required for CSF certification.

This will help ensure both the approved HITRUST Authorized External Assessor and the assessed organization are always aware of the status of the information protection program and can readily support a CSF controls assessment, regardless of type (e.g., a security assessment used for certification or a comprehensive security assessment used to generate a regulatory scorecard).

Timetable for Implementation
Immediate: This bulletin is to clarify existing policy.

<< Back to News Next Advisory >>

Subscribe to get updates,
news, and industry information.


Chat Now

This is where you can start a live chat with a member of our team