Accepting HITRUST CSF Certified Assessment Reports FAQs
What if my customer or vendor risk management outsourcer wants a proprietary questionnaire answered or assessment executed even though I am a HITRUST CSF assessed entity?
A HITRUST Certification Report covers 40 authoritative sources. The HITRUST CSF provides comprehensive coverage of general security requirements and provides prescriptive controls (safeguards), i.e., the control requirements should be detailed enough to support implementation in the intended environment and adequately address relevant threat(s). In many cases where a customer is asking for a proprietary questionnaire to be filled out or an independent assessment performed, the areas of interest from that customer may have already been addressed and assessed through a HITRUST CSF Assessment. In our experience, putting in some time to educate the customer on what is covered within the scope of a HITRUST assessment and providing them the authoritative source mapping will result in the customer accepting the HITRUST CSF Assessment in place of their proprietary programs. In some instances, performing a cross-reference mapping of the customer’s questionnaire to the HITRUST CSF Assessment that was performed, provides the customer with the necessary assurance requested and eliminates the need for a separate questionnaire. We suggest taking these actions first and if those are not successful you can reach out to HITRUST for additional support and suggestions.
Email HITRUST Support:
My customer is asking for an assessment scope different from what my organization currently has, either partially or fully. What do I do in this instance?
In cases where there is a gap in scope, it is recommended that the customer requests the organization to conduct a GAP analysis, expand or adjust the scope of their assessment as needed, and complete an assessment against the controls in question or missing based on the additional systems and organizational elements in the modified scope. Most customers will accept whatever has been assessed to date while waiting for the expanded assessment to be executed. HITRUST recommends organizations start by performing a HITRUST CSF Readiness Assessment with their CSF assessor over the missing scope to satisfy the customer demands while working on the remainder of the HITRUST CSF Validated Assessment.
My customer has an issue with the perception of the assessor that performed my organization’s HITRUST CSF Validated Assessment. How do I address their concern?
HITRUST Authorized External Assessors are organizations that have been approved by HITRUST for performing assessments and services associated with the HITRUST CSF Assurance Program and the HITRUST CSF, a comprehensive risk management framework that incorporates the existing security and privacy requirements of organizations. Authorized External Assessors are critical to HITRUST’s efforts to provide trained resources to organizations of varying size and complexity to assess compliance with security and privacy control requirements and document corrective action plans that align with the HITRUST CSF. All Authorized External Assessors are treated equally by HITRUST. This means that every assessor, regardless of their size and portfolio of capabilities, must go through a rigorous onboarding and ongoing quality review process. As part of HITRUST’s due diligence, a review of each organization and individual practitioner is performed to ensure quality standards are met. Each individual must also attend a live virtual training course and pass an exam to become a Certified CSF Practitioner. Although some assessors may have performed more assessments than others, that does not mean that all assessors are not held to the same level of quality standards. As with any professional services firm relationship, each client’s experience may be different in the marketplace. We encourage organizations that find themselves in this position to direct their customers to the information regarding the HITRUST Assessor Program and direct them to HITRUST for any specific questions regarding the program or any concerns related to specific assessor through the HITRUST Ethics Hotline:
English: USA and Canada: 844-940-0033
Spanish: USA and Canada: 800-216-1288
There are rare instances when customers may demand that an organization use a specific assessor or chose from a select list of assessors to perform their validated assessment. Unfortunately, this is outside of HITRUST’s control and will need to be negotiated directly with the customer.
HITRUST has an Assessor Council with whom HITRUST interacts as it relates to the CSF Assurance Program. Within the membership of the Assessor Council, there is a quality subcommittee that meets regularly to provide input regarding the requirements of assessors when performing assessments and help ensure the consistency and quality of the procedures being performed by assessors. This, combined with internal HITRUST quality assurance procedures, should provide some assurance that assessors are performing engagements in accordance with the Authorized External Assessor requirements.
Why does my customer want to perform on-site audits/assessment procedures even after accepting my HITRUST CSF Assessment/Certification and what can I do to prevent or minimize the impact of this?
In most scenarios, a HITRUST CSF Certification or Validated Assessment report is accepted in place of proprietary on-site audits and reporting requests. Scenarios do exist where contracts enable a customer to request a performance of its own on-site audit procedures. Often times the scope of these procedures or areas of focus may be on specific requirements outside the scope of a HITRUST CSF assessment. Other times, after a HITRUST CSF assessment has been received and reviewed, the customer may decide to dive further into certain areas covered by the assessment if corrective actions plan or gaps have been identified or if the maturity scores of a particular domain are below the customer’s expectations. In these scenarios, we have found that the scope of the procedures is more targeted at those areas of focus as opposed to a full audit. We encourage assessed entities to work with their customers to make sure that there is an understanding of what has been covered within the scope of the assessment. The scope of proprietary audit procedures should be negotiated only to extend to those areas of focus necessary for the customer to achieve the desired level of assurance.
My customer is asking for a mapping of the HITRUST CSF Assessment/scope to another type of questionnaire even after multiple attempts of using the authoritative mapping resources that HITRUST provides. Can HITRUST help me in executing this mapping so I can show my customer that I have satisfied the requirements contained within the proprietary questionnaire?
If you, as an assessed entity, have already provided the crosswalks and mapping resources that are readily available to your customer and are still being asked to map directly to a proprietary questionnaire by your customer, HITRUST recommends that you work directly with your Authorized External Assessor to determine what, if any, gaps exist between the questionnaire and the results of the HITRUST CSF Assessment. There are similarities across the thousands of questionnaires in the market. Many standard questionnaires are based on the HITRUST CSF or other popular standards such as the NIST Cybersecurity Framework, HIPAA, and ISO. More than likely the HITRUST CSF and Assessments are already capturing the areas of risk that these questions are designed to address.
What if my customer is asking for a mapping of the HITRUST CSF Assessment to an authoritative source or questionnaire currently not included within HITRUST’s formal mapping? Does HITRUST have a process to consider including new or additional authoritative sources and/or questions within the framework?
HITRUST has a CSF Advisory Council and a formal process that addresses changes and recommendations to the HITRUST CSF and the CSF authoritative sources. The council maintains a running list of new or additional authoritative sources and questions to be considered for inclusion within the CSF in future releases. Organizations can submit requests for consideration through HITRUST for consideration by the council. Requests are assessed and fulfilled or addressed based upon market demand for new or additional sources within the framework. In some instances, although an additional authoritative source or set of proprietary questions may not be formally included within the framework, HITRUST may be able to assist in mapping to them on a case by case basis for specific assessed entities to help address the customer requests. Email HITRUST Support.
My customer is requesting additional supporting documentation that was used in conducting a HITRUST CSF Assessment, i.e. actual evidence or working papers, for additional comfort, e.g., penetration review results.
This is a valid request and we encourage the assessed entity to provide the supporting data. In cases where supporting data is confidential, it is appropriate for the requesting party to make accommodations that allow the data to be reviewed on-site, or via webinars such that the data does not leave the protected environment.