Third-Party Assurance FAQs
If my Cloud Service Provider is HITRUST Certified, does that mean my environment is as well?
No. If a Cloud Service Provider (CSP) is HITRUST Certified, it does not mean your environment hosted by that CSP is also certified for the following reasons:
- There could be control gaps, so it is still incumbent that you perform thorough due diligence to evaluate how the CSP’s HITRUST Certification addresses the security and privacy requirements associated with your own organization’s risk profile and/or regulatory and customer compliance needs.
- While there are a subset of controls that only the CSP is responsible for (for example, environmental security within a production datacenter), there are controls that remain only your responsibility as the accountable party governing the data entrusted and how your users appropriately access and operate that cloud-hosted environment; further, there remain a significant portion of controls that are shared, and therefore you remain partially responsible for full coverage of control effectiveness.
For more information, you can download the HITRUST Shared Responsibility Matrix included in the HITRUST CSF download package and refer to the detailed set of common use-case scenarios defined in the HITRUST Shared Responsibility Model. For guidance on how to communicate the value of offering your cloud services hosted on a HITRUST Certified environment, please contact HITRUST Support at firstname.lastname@example.org.
Can I provide my ISO 27001 certification in lieu of HITRUST Certification for third-party assurance?
Organizations accepting ISO 27001 in lieu of HITRUST Certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular requirements of the CSF. While an improvement over custom assessment questionnaires and the now legacy SAS 70, the relying organization would still need to identify any gaps between the two reports (which will almost surely exist), go through the process of requesting additional information from the ISO-certified entity, and then evaluate the response(s).
While an organization could conceivably support ISO certification as a ‘first step” in the assurance process, it could not and should not rely solely on ISO certification. At some point the ISO-certified organization must demonstrate that the complete set of CSF control requirements relevant to their organization have been implemented appropriately if it is to ascertain what residual risk(s) remain. And since this is best accomplished through the HITRUST Assurance Program, it just makes sense—from both an economic and resource perspective—to simply require a HITRUST Validated or Certified Assessment from the onset.
What types of questions are there, and what information will we need to provide?
The HITRUST Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.
To gain an understanding of your organization’s risk profile, the questionnaire will ask you if:
- Specific requirements are addressed in organizational policy and standards,
- There are processes and procedures to support the implementation of the requirements,
- The requirements have been implemented consistently across the organization,
- The effectiveness of the controls are monitored (e.g., with a metric or other type of measurement), and
- The controls are actively managed based on this monitoring.
How do I understand the CSF Assessment report I have received?
HITRUST has created a document that explains the assessment report, how to interpret, and how it can be used to complement and enhance your current processes.
How many questions, and how long will it take?
The HITRUST Security Assessment Questionnaire generally includes between 120 and 328 questions, depending on how the risk factors are configured for the organization being assessed. The amount of time it will take to complete the assessment varies depending on the amount of time and resources available.
How often do I need to get a report?
HITRUST r2 Reports with Certification are valid for two years given the successful completion of an interim review, no breach has occurred and no significant changes have occurred relating to the scoped control environment. HITRUST i1 Reports with Certification are valid for one year – there is no interim or bridge assessment available for the i1. However, check with your business partner to ensure this meets their requirements as well.
How can I use the HITRUST Assurance Program for third-party risk management?
The HITRUST Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in multiple ways, e.g., to support PCI SAQ development, the issuance of SOC 2 reports against specific AICPA Trust Services Principles, or scorecards of HIPAA or NIST Cybersecurity Framework compliance. Organizations using the HITRUST Assurance Program for third-party risk management experience significant reductions in cost and level of effort required to evaluate third-party reports or issue their own reports to their own stakeholders, including business partners and regulators. This is the fundamental reason why several large healthcare entities have moved from simply accepting HITRUST Validated and Certified Reports to requiring them.