Frisco, TX, January 15, 2019 – HITRUST, in collaboration with the Quality Subcommittee of the HITRUST CSF Assessor Council, is announcing updates to the HITRUST CSF Assurance Program to provide greater transparency and ensure continued integrity relating to HITRUST CSF Assessments.

The HITRUST CSF Assurance Program is governed by a comprehensive set of requirements, which are regularly reviewed, and updates are key in maintaining the robust nature of the Program that provides unmatched reliability to internal and external stakeholders.

HITRUST established and maintains the standard for providing integrity, transparency, accuracy and scalability of information risk management reporting through its HITRUST CSF Assurance Program which delivers efficiencies and cost savings to the assessed organization through its ‘assess once – report many’ approach. Most standards and frameworks lack an assurance program, which creates inconsistency of results and a lack of transparency and validity. With the HITRUST CSF Assurance Program, management, as well as external audiences, such as clients, vendors and regulators can be assured of a high degree of accuracy, consistency and comprehensiveness of the information privacy and security controls reported in the HITRUST CSF Assessment report.

The updates to the HITRUST CSF Assurance Program being released today include:

1. Ensuring clarity of scope of an assessment – HITRUST Assurance Advisory 2019-01. Updated assessment scoping guidance will require assessors, working with the assessed entity, to include a more detailed description of each system covered in the assessment as well as specific details on the components for each system (e.g., operating system, database system); service offerings included in the system; and specifications for each service offering, such as what is in scope, what is not in scope, and what is partially in scope.
2. Change regarding the number of qualified HITRUST Certified CSF Practitioner (CCSFP) hours for HITRUST CSF Validated Assessments – HITRUST Assurance Advisory 2019-02. Changed to increase the CCSFP resources requirement on an assessment to at least 50% of assessment hours to ensure qualifications of resources performing assessments.
3. Providing direction for HITRUST Approved Assessor Organizations –HITRUST Assurance Advisory 2019-03. Additional guidance relating to assessor test plans and aligning those plans to HITRUST CSF implementation requirement statements. Including guidance on acceptable documentation to support the activities and procedures that were performed.

4. Changes to further ensure HITRUST Approved Assessor quality and consistency – HITRUST Assurance Advisory 2019-04. Changes to clarify the current requirement for assessors to perform independent quality assurance (QA) reviews of the assessment results, in addition to providing additional required training to those performing the QA review, and the completion of a checklist by the engagement executive and QA reviewer.

5. Changes related to Interim Reviews – HITRUST Assurance Advisory 2019- 05. Changes the name ‘Interim Reviews’ to ‘Interim Assessments’ and outlines additional rigor and assurance around the process, in addition to Interim Assessments must be performed within the HITRUST MyCSF tool.

Click here to find a complete list of HITRUST Assurance Advisories.

About HITRUST CSF Assessor Council – Quality Subcommittee

Established in January 2017, the Quality Subcommittee of the HITRUST CSF Assessor Council consists of industry leaders committed to ensuring the reliability of HITRUST assessments who periodically review industry standards to provide guidance to improve assessment criteria.

For inquiries regarding these updates, please contact us at support@hitrustalliance.net.