CSF Assurance Program
September 12, 2017
This bulletin is to remind assessor organizations about the expectations of the assurance process regarding the performance of testing of control requirements for assessments.
The validation process of the HITRUST CSF Assurance Program requires validation of all control requirements (100%) that are generated in an assessment based on the Assessed Entity’s risk factors. In addition, the expectation is that this testing be performed on site with a few exceptions. The exceptions are:
- Reliance on a third-party attestation in lieu of testing
- Inheritance of scores from a current validated assessment
- In cases where an organization deploys a virtual workforce (work from home) where making a visit is impractical.
HITRUST reserves the right to expand the QA process to include additional controls (up to 100%) and support for scores on a case-by-case basis at its sole discretion
This reminder is being issued due to feedback that some Assessors may be performing most, if not all, testing remotely, and that testing may not include 100% of the control requirements in an assessment. HITRUST takes the integrity of the assurance program seriously and will take steps to ensure that program requirements are being met in all cases.
Timetable for Implementation
Already effective per HITRUST CSF Assurance Program requirements.