CSF Assurance Program
August 3, 2016
Policy/Program Change Details
HITRUST continues to recommend that “readiness assessments” be conducted for an organization’s entire HITRUST CSF-based information protection program, i.e., against all 135 security controls as scoped to their environment rather than only those controls required for CSF certification.
This will help ensure both the approved HITRUST Authorized External Assessor and the assessed organization are always aware of the status of the information protection program and can readily support a CSF controls assessment, regardless of type (e.g., a security assessment used for certification or a comprehensive security assessment used to generate a regulatory scorecard).
Timetable for Implementation
Immediate: This bulletin is to clarify existing policy.