HITRUST requires professional services firms and the individuals within those firms to meet certain requirements before receiving HITRUST’s approval to perform HITRUST CSF related engagements as an Assessor. There are two types of Assessor organizations: External and Internal. Obtaining an External or Internal Assessor status indicates the Assessor has met the requirements to perform HITRUST assessments. Each HITRUST Assessor Organization must undergo a vetting process and demonstrate the capability to perform HITRUST assessments. The vetting process includes reviewing the Assessor Organization’s policies and procedures and the professional backgrounds of the individuals who will be performing assessments. In addition, there are two HITRUST certifications that individuals within an External or Internal Assessor firm may receive, Certified CSF Practitioner (CCSFP) and/or Certified HITRUST Quality Professional (CHQP). HITRUST has specified requirements in this Chapter on an External or Internal Assessor firm’s utilization of individuals based on the certification type and individual’s role on a validated assessment.
- CCSFP is a designation reserved for individuals who have completed the CCSFP training course, passed the certification exam, and have met the required background and experience requirements necessary to effectively use the HITRUST CSF. Such individuals typically work for a HITRUST External Assessor organization, an Assessed Entity, or a HITRUST licensed firm/practice that provides HITRUST consulting services.
- CHQP is a designation reserved for Certified CSF Practitioners who act in a quality assurance role on HITRUST assessment engagements, have completed the CHQP training course, and passed the CHQP certification exam. Such individuals typically work for a HITRUST External Assessor organization.
3.2.1 All External and Internal Assessors are required to maintain their knowledge of the HITRUST Assurance process, CSF methodology and framework by having a comprehensive understanding of this Assessment Handbook and corresponding Advisories.
External Assessors are organizations that have been approved by HITRUST for performing assessment and services associated with the HITRUST Assurance Program and the HITRUST CSF.
3.2.2 All External Assessor organizations must be approved by HITRUST via an application process. See External Assessors for more information on External Assessor requirements.
3.2.3 All External Assessors that will work on validated assessments must employ at least 5 CCSFPs and 2 CHQPs within their organization. HITRUST requires that the following engagement team members on a validated assessment hold the CCSFP designation:
- On-site team lead / manager responsible for assessment fieldwork
- Engagement executive
- Engagement quality assurance reviewer
3.2.4 The External Assessor Quality Assurance Review for a validated assessment must be performed by the engagement team’s quality assurance reviewer. This individual is required to hold both a CCSFP and CHQP designation.
3.2.5 The individual acting as a validated assessment’s CHQP may not perform any other duty on that assessment, such as client-facing engagement executive, fieldwork lead, etc. This requirement helps ensure that the External Assessor’s pre-submission quality review is performed with objectivity.
3.2.6 To ensure the team has an appropriate understanding of the HITRUST CSF and HITRUST Assurance program methodologies and tools, at least 50% of all validated assessment engagement hours must be performed by CCSFPs.
3.2.7 Both the engagement executive and QA reviewer must sign-off on the QA checklist upon completion of their corresponding review activities.
3.2.8 Professional services firms that will only work on readiness assessments and are not External Assessors will need to obtain a readiness license.
3.2.9 Organizations that have a readiness license must have two individuals hold the CCSFP designation to maintain its license.
There are three defined roles within an External Assessor’s team that must be reported to HITRUST as part of a validated assessment, all of which must be subject matter experts in the field of information security and/or privacy and holders of HITRUST-issued certifications:
3.2.10 The Engagement Executive is the CCSFP who owns the relationship between the External Assessor firm and the Assessed Entity. This individual is expected to review and approve the engagement scope, the Test Plan, testing results, and testing documentation.
3.2.11 The Engagement Lead is the CCSFP responsible for the creation and execution of the Test Plan, performing / overseeing sampling, analyzing test results, leading walkthroughs and interviews, and coordinating the validated assessment’s day-to-day fieldwork.
3.2.12 The Quality Assurance Reviewer must be a CHQP who ensures that engagement execution meets internally defined and HITRUST-defined quality assurance requirements within this Handbook, including adequacy and completeness of the working papers, appropriate treatment of exceptions, and proper definition and application of scoping decisions.
Internal Assessors are those departments or business units who facilitate the HITRUST assessment process by performing readiness / self-assessment efforts or performing testing on behalf of management of the Assessed Entity in advance of an External Assessor’s validated assessment fieldwork. Internal Assessor practitioners are in-house or outsourced CCSFPs who are typically positioned within, or engaged by, an Assessed Entity’s Internal Audit Department, but also may be positioned within or engaged by any department meeting specific objectivity requirements (see Chapter 3.3 Independence Requirements), resource qualification requirements, and approval by HITRUST (via the defined application process).
3.2.13 All Internal Assessors must be approved by HITRUST via an application process prior to External Assessors being able to rely on their work for a validated assessment. See Internal Assessors for more information.
3.2.14 The Internal Assessor must be competent with respect to the HITRUST CSF, the HITRUST Assurance Program Requirements, and the overall HITRUST validated assessment process.
3.2.15 Internal Assessor functions must consist of at least two individuals that hold the CCSFP designation.
As mentioned above, in advance of a validated assessment an Assessed Entity may perform assessment procedures against the HITRUST CSF internally using an Internal Assessor. The results of recently completed testing performed by Internal Assessors can—at the External Assessor’s discretion—be relied upon by the External Assessor to reduce the extent of the External Assessor’s direct testing. For further details around relying on Internal Assessor testing, see Chapter 12.4 Reliance on testing performed by the Assessed Entity.