Third-Party Assurance FAQs
How can I use the CSF Assurance Program for third-party risk management?
The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in multiple ways, e.g., to support PCI SAQ development, the issuance of SOC 2 reports against specific AICPA Trust Services Principles, or scorecards of HIPAA or NIST Cybersecurity Framework compliance. Organizations using the CSF Assurance Program for third-party risk management experience significant reductions in cost and level of effort required to evaluate third-party reports or issue their own reports to their own stakeholders, including business partners and regulators. This is the fundamental reason why several large healthcare entities have moved from simply accepting HITRUST Validated and Certified Reports to requiring them.
How often do I need to get a report?
HITRUST CSF reports with Certification are valid for two years given the successful completion of an interim review, no breach has occurred and no significant changes have occurred relating to the scoped control environment. However, check with your business partner to ensure this meets their requirements as well.
References: CSF Assurance Program Requirements
What types of questions are there, and what information will we need to provide?
The HITRUST CSF Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.
To gain an understanding of your organization’s risk profile, the questionnaire will ask you if:
- Specific requirements are addressed in organizational policy and standards,
- There are processes and procedures to support the implementation of the requirements,
- The requirements have been implemented consistently across the organization,
- The effectiveness of the controls are monitored (e.g., with a metric or other type of measurement), and
- The controls are actively managed based on this monitoring.
Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?
Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular requirements of the CSF. While an improvement over custom assessment questionnaires and the now legacy SAS 70, the relying organization would still need to identify any gaps between the two reports (which will almost surely exist), go through the process of requesting additional information from the ISO-certified entity, and then evaluate the response(s).
While an organization could conceivably support ISO certification as a ‘first step” in the assurance process, it could not and should not rely solely on ISO certification. At some point the ISO-certified organization must demonstrate that the complete set of CSF control requirements relevant to their organization have been implemented appropriately if it is to ascertain what residual risk(s) remain. And since this is best accomplished through the CSF Assurance Program, it just makes sense—from both an economic and resource perspective—to simply require a CSF validated or certified assessment from the onset.
Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
It depends. The accepting organization will need to make a determination based on the scope of the examination and the trust service criteria being reported upon. While the current SOC 2 may be granted a waiver and accepted in the first year, it will be necessary to base future SOC 2 reports on the HITRUST CSF in order to fulfill the requirements of the program.
Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?
No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms. Many of these are CPA firms. If the current firm you use for your SOC 2 is not on the list, we would encourage you to ask what their plans are related to becoming an authorized HITRUST CSF assessor. Some may already be going through the process.
If my Cloud Service Provider is HITRUST CSF Certified, does that mean my environment is as well?
No. If a Cloud Service Provider (CSP) is HITRUST CSF Certified, it does not mean your environment hosted by that CSP is also certified for the following reasons:
- There could be control gaps, so it is still incumbent that you perform thorough due diligence to evaluate how the CSP’s HITRUST CSF Certification addresses the security and privacy requirements associated with your own organization’s risk profile and/or regulatory and customer compliance needs.
- While there are a subset of controls that only the CSP is responsible for (for example, environmental security within a production datacenter), there are controls that remain only your responsibility as the accountable party governing the data entrusted and how your users appropriately access and operate that cloud-hosted environment; further, there remain a significant portion of controls that are shared, and therefore you remain partially responsible for full coverage of control effectiveness.
For more information, you can download the HITRUST Shared Responsibility Matrix included in the HITRUST CSF download package and refer to the detailed set of common use-case scenarios defined in the HITRUST Shared Responsibility Model. For guidance on how to communicate the value of offering your cloud services hosted on a HITRUST CSF Certified environment, please contact HITRUST Support at firstname.lastname@example.org.
How do I understand the CSF Assessment report I have received?
HITRUST has created a document that explains the assessment report, how to interpret, and how it can be used to complement and enhance your current processes.
How many questions, and how long will it take?
The HITRUST CSF Security Assessment Questionnaire generally includes between 120 and 328 questions, depending on how the risk factors are configured for the organization being assessed. The amount of time it will take to complete the assessment varies depending on the amount of time and resources available.
Reference: HITRUST CSF Assessment Process