Read our Frequently Asked Questions

HITRUST MyCSF Compliance and Reporting Pack for HIPAA

  • What is the MyCSF Compliance and Reporting Pack for HIPAA?
  • When will the MyCSF Compliance and Reporting Pack for HIPAA be available?
  • Which versions of the HITRUST CSF does an assessment need to use to take advantage of the MyCSF Compliance and Reporting Pack for HIPAA?
  • Will the MyCSF Compliance and Reporting Pack for HIPAA work with any older versions of the CSF such as v9.1, v9.2, v9.3 or v9.4?

HITRUST CSF Quality Assurance Reservation System

  • Does the date of my Reservation represent the date that will appear on my Final Report and/or Certification?
  • Are reservations required for HITRUST CSF Validated Assessments?
  • Do I need to make a reservation for a Bridge, Interim, or Readiness Assessments?
  • Where do I make a reservation?

HITRUST CSF Bridge Assessment and Certificate

  • How does a bridge assessment affect the interim assessment due date?
  • Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?
  • What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?
  • What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?

HITRUST CSF Framework

  • Will v9.5.0 and v9.4 both be in MyCSF?
  • What’s different between v9.4 and v9.5.0?
  • If an organization is in the process of starting an Assessment in v9.4, should they re-evaluate and move to v9.5.0?
  • How will this impact existing v9.4 Assessments in process?

MyCSF

  • Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
  • Can the tool link to supporting documents rather than copy?
  • Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
  • Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?

CSF Assurance Program

  • How can I confirm an organizations certification status?
  • What is the process for an organization to achieve HITRUST CSF Certification?
  • How many organizations have completed a HITRUST CSF Assessment?
  • If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

Accepting HITRUST CSF Certified Assessment Reports

  • What if my customer or vendor risk management outsourcer wants a proprietary questionnaire answered or assessment executed even though I am a HITRUST CSF assessed entity?
  • My customer is asking for an assessment scope different from what my organization currently has, either partially or fully. What do I do in this instance?
  • My customer has an issue with the perception of the assessor that performed my organization’s HITRUST CSF Validated Assessment. How do I address their concern?
  • Why does my customer want to perform on-site audits/assessment procedures even after accepting my HITRUST CSF Assessment/Certification and what can I do to prevent or minimize the impact of this?

Third-Party Assurance

  • If my Cloud Service Provider is HITRUST CSF Certified, does that mean my environment is as well?
  • Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?
  • Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
  • Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

External Assessor Program

  • What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
  • Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
  • What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
  • What are the costs associated with the Assessor program?

HITRUST Threat Catalogue

  • How often will the HITRUST Threat Catalogue be updated?
  • What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
  • How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
  • How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

HITRUST Risk Management Framework

  • Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Does a CSF Assurance assessment weight all controls equally?
  • Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

The HITRUST CSF

  • Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
  • Is the scope of the HITRUST CSF too large for most organizations?
  • Does the HITRUST CSF take a “one-size-fits-all” approach to information security?
  • What are the goals for the HITRUST CSF?

CSF Assurance Program and Certification

  • Does a CSF Assurance assessment weight all controls equally?
  • Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
  • How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?
  • How can I use the CSF Assurance Program for third-party risk management?

HITRUST and the NIST Cybersecurity Framework

  • Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?
  • If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

HITRUST CSF and SOC 2

  • Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

HITRUST CSF and NIST CSF

  • What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
  • What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
  • Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
  • How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?

Interim Review

  • Will it be the same level of access as we get for full assessment submission?
  • Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late?
  • If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?
  • How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?

Control Maturity and Continuous Monitoring and Assessment

  • What is the role of continuous monitoring in the HITRUST scoring process?
  • Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
  • What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
  • How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

Chat Now

This is where you can start a live chat with a member of our team