Before starting the certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the certification process, please select a HITRUST Assessor. Once you select an Assessor, you will need to purchase a validated assessment from HITRUST. Complete the validated assessment using the MyCSF tool and then the Assessor will perform the validation/audit work. Please note access to the MyCSF is granted for 90 days. Once the Assessor’s work is complete, it submits to HITRUST for review. HITRUST will create a report and, depending on the scores in the report, will issue a letter of certification.
Note: HITRUST strongly recommends organizations conduct readiness assessments against all 135 CSF controls (149 if the CSF is used to support the organization’s privacy program), rather than only those controls required for certification. This will help ensure both the approved HITRUST CSF Assessor and the assessed organization are always aware of the status of the information protection program and can readily support a CSF controls assessment, regardless of type (e.g., a security assessment used for certification or a comprehensive security assessment used to generate a regulatory scorecard).
For more information, refer to the HITRUST CSF Assurance Program Requirements brochure.