Read our FAQs
HITRUST CSF Bridge Assessment and Certificate
- How does a bridge assessment affect the interim assessment due date?
- Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?
- What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?
- What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?
HITRUST CSF Framework
- Should my organization pause or delay the process of starting a HITRUST CSF Assessment due to these upcoming changes?
- What level of implementation will the HITRUST CSF incorporate for NIST SP 800-53r5 (Low, Moderate, High, and/or Privacy)?
- Will NIST SP 800-53r5 impact the structure of the HITRUST CSF?
- Will HITRUST be incorporating NIST SP 800-53r5 into the HITRUST CSF and when?
MyCSF
- Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
- Can the tool link to supporting documents rather than copy?
- Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
- Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?
CSF Assurance Program
- How can I confirm an organizations certification status?
- What is the process for an organization to achieve HITRUST CSF Certification?
- How many organizations have completed a HITRUST CSF Assessment?
- If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?
Third-Party Assurance
- If my Cloud Service Provider is HITRUST CSF Certified, does that mean my environment is as well?
- Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?
- Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
- Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?
External Assessor Program
- What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
- Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
- What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
- What are the costs associated with the Assessor program?
HITRUST Threat Catalogue
- How often will the HITRUST Threat Catalogue be updated?
- What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
- How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
- How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?
HITRUST Risk Management Framework
- Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?
- What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
- Does a CSF Assurance assessment weight all controls equally?
- Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
The HITRUST CSF
- Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
- Is the scope of the HITRUST CSF too large for most organizations?
- Does the HITRUST CSF take a “one-size-fits-all” approach to information security?
- What are the goals for the HITRUST CSF?
CSF Assurance Program and Certification
- Does a CSF Assurance assessment weight all controls equally?
- Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
- How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?
- How can I use the CSF Assurance Program for third-party risk management?
HITRUST and the NIST Cybersecurity Framework
- Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?
- What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
- Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?
- If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?
HITRUST CSF and SOC 2
- Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?
HITRUST CSF and NIST CSF
- What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
- What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
- Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
- How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?
Interim Review
- Will it be the same level of access as we get for full assessment submission?
- Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late?
- If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?
- How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
Control Maturity and Continuous Monitoring and Assessment
- What is the role of continuous monitoring in the HITRUST scoring process?
- Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
- What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
- How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?