Preparing for ‘Rely-Able’™ Assurances
Readiness and third-party validated assessments and reports, created using our comprehensive framework, backed by the HITRUST CSF Assurance Program, and scored using our innovative PRISMA maturity model, provide assurances both internally and externally.
A HITRUST CSF Assessment provides organizations with a means to assess and communicate their current state of security and compliance with external entities along with CAPs to address any identified issues. An organization can, using the services of an Authorized External Assessor or by performing a readiness assessment, conduct an assessment against the HITRUST CSF and have the results reported by HITRUST under the HITRUST CSF Assurance Program. HITRUST CSF Assessments provide the assessed entity and the relying entity with a snapshot into the current state of security, privacy, and compliance of the assessed entity.
The HITRUST CSF Certification demonstrates that an organization is taking the most proactive approach to data protection and information risk mitigation. Find out more about how HITRUST combines Transparency, Accuracy, Consistency, and Integrity to create the most Rely-Able assurances.
The HITRUST Difference: What Makes a HITRUST CSF Assessment Unique
HITRUST CSF Framework
All assessments are customizable and built using our risk-based security and privacy controls framework, which maps to 46 authoritative sources and is regularly updated. Learn more.
HITRUST CSF Assurance Program
Providing prescriptive methodology and granular oversight, the HITRUST CSF Assurance Program ensures the consistency and quality of all HITRUST CSF Assessments. Learn more.
Authorized External Assessor Program
HITRUST trains and oversees a broad network of Authorized External Assessor organizations, ensuring that your organization can be confident in its decision to partner with any of our trusted professionals, offering everything from consulting services to third-party validation. Learn more.
PRISMA-based Maturity Model
Each prescriptive control requirement statement is scored using our innovative PRISMA-based maturity model, comprised of five maturity levels (Policy, Procedure, Implemented, Measured, and Managed) to lend clarity and insight into the maturity of your organization’s information risk management and compliance program. Evaluating Control Maturity Using the HITRUST Approach, our whitepaper, provides more information on how HITRUST CSF Assessments are scored.
Assurance Intelligence Engine
The Assurance Intelligence Engine™ adds a layer of automated, real-time checks that complement existing, manual reviews throughout the assessment process. The Assurance Intelligence Engine uses a patent-pending approach to analyze assessment documentation for oversights, inconsistencies, and errors that might otherwise jeopardize the integrity, accuracy, or consistency of information of final reports and deliverables. Learn More.
Reservation Based Quality Assurance (RBQA)
The Reservation System for HITRUST CSF Validated Assessments allows the HITRUST community to schedule a specific starting date to begin the QA process, which enables better submission planning, greater predictability, and added trackability.
HITRUST has spent the last 13 years architecting and implementing a comprehensive and fully integrated approach to information risk management and compliance assessment and reporting that provides a level of transparency, scalability, consistency, accuracy, integrity, and efficiency simply not obtainable through other approaches. HITRUST’s unique and comprehensive approach to information risk management and compliance – the HITRUST Approach – addresses all of these criteria to provide the most robust assurance option available. To learn about how HITRUST CSF Assessments compares to other assessment and reporting options as well as how they deliver on the aforementioned criteria, read How Do You Know if a CSF Assurance Report is ‘Rely-able’?
Types of Assessments
- HITRUST CSF Readiness Assessment – A self-attested assessment, often used to determine security posture and any potential remediation efforts in preparation for a future HITRUST CSF Validated Assessment. Though an External Assessor is not required, many organizations choose to leverage our network and obtain consulting services. HITRUST prepares and issues HITRUST CSF Readiness Assessment Reports.
- HITRUST CSF Validated Assessment – A third-party validated assessment, performed in partnership with an Authorized External Assessor organization then submitted to HITRUST for quality assurance review and issuance of a HITRUST CSF Validated Assessment Report. HITRUST CSF Certifications may be issued in conjunction with HITRUST CSF Validated Assessment Reports that meet scoring requirements. HITRUST CSF Validated Assessment Reports that do not meet HITRUST CSF Certification standards are valid for one year; HITRUST CSF Certifications are valid for two years, pending completion of a HITRUST CSF Interim Assessment at the one-year mark.
- HITRUST CSF Interim Assessment – Organizations with HITRUST CSF Certifications will need to perform a HITRUST CSF Interim Assessment at the one-year mark to keep their certification valid. This assessment is performed by an External Assessor and consists of a subset of originally assessed controls as well as progress updates on any required corrective action plans.
- HITRUST Bridge Assessment – HITRUST recognizes that some organizations may experience obstacles or delays while having a commitment to regulators, customers, and stakeholders to maintain a HITRUST CSF Certification. A HITRUST CSF Bridge Assessment allows organizations to maintain a form of HITRUST CSF Certification status for an additional 90 days, even if their validated assessment submission due date is missed.
Wondering what type of assessment is best for your organization? Take the quiz here.
Ready to get started? Your first step is identifying your security and privacy controls with the help of the HITRUST CSF Framework. Eligible organizations can download the HITRUST CSF at no cost and begin exploring.