FAQ page header image

Read our Frequently Asked Questions

HITRUST Assessment Portfolio Expansion

  • Why did HITRUST need to add assessments to its portfolio? How do I know which one is appropriate to satisfy internal and external assurances and requests from third parties?
  • What is a “cybersecurity best practices” assessment, and how is it different than a “good security hygiene” assessment?
  • How do the new bC and i1 assessments compare in assurance and quality to the previous HITRUST CSF Validated Assessment (now called the r2)?
  • If I need to demonstrate compliance with HIPAA, which HITRUST assessment should I use?

HITRUST Implemented, 1-year (i1) Validated Assessment + Certification

  • What is the new HITRUST Implemented, 1-year (i1) Validated Assessment + Certification?
  • How much does an i1 Assessment cost?
  • When will HITRUST make the i1 Assessment available?
  • Will there be any training specifically for the i1 Assessment?

HITRUST Basic, Current-state (bC) Verified Self-Assessments

  • How do I start a Basic Current-state (bC) Assessment?
  • Can you do carve-outs with a bC Assessment?
  • How much does a bC Assessment cost?
  • Is the bC “tailorable?”

HITRUST Results Distribution System

  • When will the RDS be available?
  • What is the HITRUST Results Distribution System (RDS)?
  • What are the benefits the HITRUST Results Distribution System (RDS) delivers over the outdated process of sharing and consuming third-party assurance reports in PDF form?
  • How will Relying Parties who use Vendor Risk Management (VRM) systems benefit?

HITRUST MyCSF Compliance and Reporting Pack for HIPAA

  • What is the MyCSF Compliance and Reporting Pack for HIPAA?
  • When will the MyCSF Compliance and Reporting Pack for HIPAA be available?
  • Which versions of the HITRUST CSF does an assessment need to use to take advantage of the MyCSF Compliance and Reporting Pack for HIPAA?
  • Will the MyCSF Compliance and Reporting Pack for HIPAA work with any older versions of the CSF such as v9.1, v9.2, v9.3 or v9.4?

HITRUST Quality Assurance Reservation System

  • Do I need to make a reservation for a Bridge, Interim, or Readiness Assessments?
  • Does the date of my Reservation represent the date that will appear on my Final Report and/or Certification?
  • Are reservations required for HITRUST Validated Assessments?
  • Where do I make a reservation?

HITRUST Bridge Assessment and Certificate

  • What is the HITRUST Bridge Assessment?
  • Is a Bridge Assessment only available for an r2 certification?
  • How does a Bridge Assessment affect the interim assessment due date?
  • Why is the three-month period of the HITRUST Bridge Certificate deducted from the organization’s next HITRUST Certification?

HITRUST CSF Framework

  • Will v9.6.0 and v9.5.2 both be in the HITRUST MyCSF platform?
  • What’s different between HITRUST CSF v9.6.0 and v9.5.2?
  • If an organization is in the process of starting an assessment in v9.5.2, should they re-evaluate and move to v9.6.0?
  • How will this impact existing v9.5.2 assessments in process?

MyCSF

  • Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
  • Can the tool link to supporting documents rather than copy?
  • Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
  • Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?

HITRUST Assurance Program

  • How can I confirm an organizations certification status?
  • What is the process for an organization to achieve HITRUST Certification?
  • How many organizations have completed a HITRUST Assessment?
  • If I’m HITRUST Certified, does that mean I’m HIPAA compliant?

Accepting HITRUST Certified Assessment Reports

  • What if my customer or vendor risk management outsourcer wants a proprietary questionnaire answered or assessment executed even though I am a HITRUST CSF assessed entity?
  • My customer is asking for an assessment scope different from what my organization currently has, either partially or fully. What do I do in this instance?
  • My customer has an issue with the perception of the assessor that performed my organization’s HITRUST CSF Validated Assessment. How do I address their concern?
  • Why does my customer want to perform on-site audits/assessment procedures even after accepting my HITRUST CSF Assessment/Certification and what can I do to prevent or minimize the impact of this?

Third-Party Assurance

  • If my Cloud Service Provider is HITRUST CSF Certified, does that mean my environment is as well?
  • Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?
  • Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
  • Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

External Assessor Program

  • What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
  • Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
  • What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
  • What are the costs associated with the Assessor program?

HITRUST Threat Catalogue

  • How often will the HITRUST Threat Catalogue be updated?
  • What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
  • How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
  • How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

HITRUST Risk Management Framework

  • Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Does a CSF Assurance assessment weight all controls equally?
  • Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

The HITRUST CSF

  • Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
  • Is the scope of the HITRUST CSF too large for most organizations?
  • Does the HITRUST CSF take a “one-size-fits-all” approach to information security?
  • What are the goals for the HITRUST CSF?

HITRUST Assurance Program and Certification

  • Does a CSF Assurance assessment weight all controls equally?
  • Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
  • How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?
  • How can I use the CSF Assurance Program for third-party risk management?

HITRUST and the NIST Cybersecurity Framework

  • Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?
  • If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

HITRUST CSF and SOC 2

  • Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

HITRUST CSF and NIST CSF

  • What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
  • What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
  • Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
  • How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?

Interim Review

  • Will it be the same level of access as we get for full assessment submission?
  • Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late?
  • If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?
  • How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?

Control Maturity and Continuous Monitoring and Assessment

  • What is the role of continuous monitoring in the HITRUST scoring process?
  • Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
  • What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
  • How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

Chat Now

This is where you can start a live chat with a member of our team