Preparing for ‘Rely-able’ Assurances
Readiness and third-party validated assessments and reports, created using our comprehensive framework, backed by the HITRUST CSF Assurance Program, and scored using our innovative PRISMA maturity model, provide assurances both internally and externally.
A HITRUST Assessment provides organizations with a means to assess and communicate their current state of security and compliance with external entities along with CAPs to address any identified issues. An organization can, using the services of an Authorized External Assessor or by performing a readiness assessment, conduct an assessment against the HITRUST CSF and have the results reported by HITRUST under the HITRUST CSF Assurance Program. HITRUST Assessments provide the assessed entity and the relying entity with a snapshot into the current state of security, privacy, and compliance of the assessed entity.
The HITRUST Difference: What Makes a HITRUST Assessment Unique
HITRUST CSF Framework
All assessments are customizable and built using our risk-based security and privacy controls framework, which maps to 46 authoritative sources and is regularly updated. Learn more.
HITRUST CSF Assurance Program
Providing prescriptive methodology and granular oversight, the HITRUST CSF Assurance Program ensures the consistency and quality of all HITRUST Assessments. Learn more.
Authorized External Assessor Program
HITRUST trains and oversees a broad network of Authorized External Assessor organizations, ensuring that your organization can be confident in its decision to partner with any of our trusted professionals, offering everything from consulting services to third-party validation. Learn more.
PRISMA-based Maturity Model
Each prescriptive control requirement statement is scored using our innovative PRISMA-based maturity model, comprised of five maturity levels (Policy, Procedure, Implemented, Measured, and Managed) to lend clarity and insight into the maturity of your organization’s information risk management and compliance program. Evaluating Control Maturity Using the HITRUST Approach, our whitepaper, provides more information on how HITRUST Assessments are scored.
Assurance Intelligence Engine
The Assurance Intelligence Engine™ adds a layer of automated, real-time checks that complement existing, manual reviews throughout the assessment process. The Assurance Intelligence Engine uses a patent-pending approach to analyze assessment documentation for oversights, inconsistencies, and errors that might otherwise jeopardize the integrity, accuracy, or consistency of information of final reports and deliverables. Learn More.
Reservation Based Quality Assurance (RBQA)
The Reservation System for HITRUST Assessments allows the HITRUST community to schedule a specific starting date to begin the QA process, which enables better submission planning, greater predictability, and added trackability. Final Reports and Certifications will continue to be dated using the date that appears on the Management Representation Letter.
NEW Results Distribution System (RDS) (Initial Release Planned by End of 2021)
Addresses the highly inefficient process of obtaining, interpreting, and analyzing assessment results from third-party vendors. The RDS allows for assessed entities to share assessment results through a highly secure web portal or API so that relying parties can more easily find and view the information they need to make better-informed decisions faster. Learn More.
HITRUST has spent the last 13 years architecting and implementing a comprehensive and fully integrated approach to information risk management and compliance assessment and reporting that provides a level of transparency, scalability, consistency, accuracy, integrity, and efficiency simply not obtainable through other approaches. HITRUST’s unique and comprehensive approach to information risk management and compliance – the HITRUST Approach – addresses all of these criteria to provide the most robust assurance option available. To learn about how HITRUST Assessments compares to other assessment and reporting options as well as how they deliver on the aforementioned criteria, read How Do You Know if a CSF Assurance Report is ‘Rely-able’?
On October 6, 2021, HITRUST announced a major expansion of its assessment portfolio to raise the quality and efficiency of assurances across the spectrum of information assurance needs. Preview the upcoming enhancements available at the end of 2021.
Current Types of Assessments
- HITRUST CSF Readiness Assessment – A self-attested assessment, often used to determine security posture and any potential remediation efforts in preparation for a future HITRUST CSF Validated Assessment. Though an External Assessor is not required, many organizations choose to leverage our network and obtain consulting services. HITRUST prepares and issues HITRUST CSF Readiness Assessment Reports.
- HITRUST CSF Validated Assessment – A third-party validated assessment, performed in partnership with an Authorized External Assessor organization then submitted to HITRUST for quality assurance review and issuance of a HITRUST CSF Validated Assessment Report. HITRUST CSF Certifications may be issued in conjunction with HITRUST CSF Validated Assessment Reports that meet scoring requirements. HITRUST CSF Validated Assessment Reports that do not meet HITRUST CSF Certification standards are valid for one year; HITRUST CSF Certifications are valid for two years, pending completion of a HITRUST CSF Interim Assessment at the one-year mark.
- HITRUST CSF Interim Assessment – Organizations with HITRUST CSF Certifications will need to perform a HITRUST CSF Interim Assessment at the one-year mark to keep their certification valid. This assessment is performed by an External Assessor and consists of a subset of originally assessed controls as well as progress updates on any required corrective action plans.
- HITRUST Bridge Assessment – HITRUST recognizes that some organizations may experience obstacles or delays while having a commitment to regulators, customers, and stakeholders to maintain a HITRUST CSF Certification. A HITRUST CSF Bridge Assessment allows organizations to maintain a form of HITRUST CSF Certification status for an additional 90 days, even if their validated assessment submission due date is missed.