Before starting the certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the certification process, please select a HITRUST Assessor. Once you select an Assessor, you will need to purchase a validated assessment from HITRUST. Complete the validated assessment using the MyCSF tool and then the Assessor will perform the validation/audit work. Please note access to the MyCSF is granted for 90 days. Once the Assessor’s work is complete, it submits to HITRUST for review. HITRUST will create a report and, depending on the scores in the report, will issue a letter of certification.

Note: HITRUST strongly recommends organizations conduct readiness assessments against all 135 CSF controls (149 if the CSF is used to support the organization’s privacy program), rather than only those controls required for certification. This will help ensure both the approved HITRUST CSF Assessor and the assessed organization are always aware of the status of the information protection program and can readily support a CSF controls assessment, regardless of type (e.g., a security assessment used for certification or a comprehensive security assessment used to generate a regulatory scorecard).

For more information, refer to the HITRUST CSF Assurance Program Requirements brochure.


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment