Advisory Type
Assurance Requirements
Policy/Program Change Details
This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the assurance process regarding the documentation of the scope of the entity’s assessed environment.
HITRUST Authorized External Assessors must provide a verbose description of the assessed environment that includes both systems/products and facilities. This description must clearly define assessment boundaries. In addition to the verbose description, there will be a summary table that must be provided that would further clarify what is included and what is not included such that any discrepancy can be clearly resolved through the definition. We have attached an illustrative example to this advisory.
Rationale
This change is to ensure the clear communication of the environment that was assessed to readers of HITRUST CSF Validated Assessment reports.
Timetable for Implementation
Effective for all validated assessments submitted on or after April 1, 2019.
For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.
Attachments