Read our FAQs

HITRUST CSF Quality Assurance Reservation System

  • Are reservations required for HITRUST CSF Validated Assessments?
  • Do I need to make a reservation for a Bridge, Interim, or Readiness Assessments?
  • Where do I make a reservation?
  • How far out can I make a reservation?
All HITRUST CSF Quality Assurance Reservation System FAQs

HITRUST CSF Bridge Assessment and Certificate

  • How does a bridge assessment affect the interim assessment due date?
  • Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?
  • What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?
  • What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?
All HITRUST CSF Bridge Assessment and Certificate FAQs

HITRUST CSF Framework

  • Should my organization pause or delay the process of starting a HITRUST CSF Assessment due to these upcoming changes?
  • What level of implementation will the HITRUST CSF incorporate for NIST SP 800-53r5 (Low, Moderate, High, and/or Privacy)?
  • Will NIST SP 800-53r5 impact the structure of the HITRUST CSF?
  • Will HITRUST be incorporating NIST SP 800-53r5 into the HITRUST CSF and when?
All HITRUST CSF Framework FAQs

MyCSF

  • Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
  • Can the tool link to supporting documents rather than copy?
  • Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
  • Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?
All MyCSF FAQs

CSF Assurance Program

  • How can I confirm an organizations certification status?
  • What is the process for an organization to achieve HITRUST CSF Certification?
  • How many organizations have completed a HITRUST CSF Assessment?
  • If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?
All CSF Assurance Program FAQs

Accepting HITRUST CSF Certified Assessment Reports

  • What if my customer or vendor risk management outsourcer wants a proprietary questionnaire answered or assessment executed even though I am a HITRUST CSF assessed entity?
  • My customer is asking for an assessment scope different from what my organization currently has, either partially or fully. What do I do in this instance?
  • My customer has an issue with the perception of the assessor that performed my organization’s HITRUST CSF Validated Assessment. How do I address their concern?
  • Why does my customer want to perform on-site audits/assessment procedures even after accepting my HITRUST CSF Assessment/Certification and what can I do to prevent or minimize the impact of this?
All Accepting HITRUST CSF Certified Assessment Reports FAQs

Third-Party Assurance

  • If my Cloud Service Provider is HITRUST CSF Certified, does that mean my environment is as well?
  • Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?
  • Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
  • Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?
All Third-Party Assurance FAQs

External Assessor Program

  • What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
  • Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
  • What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
  • What are the costs associated with the Assessor program?
All External Assessor Program FAQs

HITRUST Threat Catalogue

  • How often will the HITRUST Threat Catalogue be updated?
  • What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
  • How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
  • How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?
All HITRUST Threat Catalogue FAQs

HITRUST Risk Management Framework

  • Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Does a CSF Assurance assessment weight all controls equally?
  • Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
All HITRUST Risk Management Framework FAQs

The HITRUST CSF

  • Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
  • Is the scope of the HITRUST CSF too large for most organizations?
  • Does the HITRUST CSF take a “one-size-fits-all” approach to information security?
  • What are the goals for the HITRUST CSF?
All The HITRUST CSF FAQs

CSF Assurance Program and Certification

  • Does a CSF Assurance assessment weight all controls equally?
  • Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
  • How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?
  • How can I use the CSF Assurance Program for third-party risk management?
All CSF Assurance Program and Certification FAQs

HITRUST and the NIST Cybersecurity Framework

  • Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?
  • If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?
All HITRUST and the NIST Cybersecurity Framework FAQs

HITRUST CSF and SOC 2

  • Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?
All HITRUST CSF and SOC 2 FAQs

HITRUST CSF and NIST CSF

  • What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
  • What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
  • Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
  • How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?
All HITRUST CSF and NIST CSF FAQs

Interim Review

  • Will it be the same level of access as we get for full assessment submission?
  • Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late?
  • If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?
  • How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
All Interim Review FAQs

Control Maturity and Continuous Monitoring and Assessment

  • What is the role of continuous monitoring in the HITRUST scoring process?
  • Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
  • What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
  • How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?
All Control Maturity and Continuous Monitoring and Assessment FAQs

Chat Now

This is where you can start a live chat with a member of our team