HITRUST CSF FAQs
What are the different types of HITRUST CSF assessments?
HITRUST CSF has two types: self-assessment and validated assessment. Choosing what type of HITRUST CSF assessment to do can be a daunting task, especially when an organization is doing this audit for the first time. HITRUST CSF assessment options include:
SOC 2 Type II with HITRUST CSF Mapping – A SOC 2 Type II with HITRUST CSF mapping is an assessment that came from a collaboration between the AICPA and HITRUST. This assessment culminates in a SOC 2 report that includes a table that maps the selected Trust Services Criteria to HITRUST CSF controls.
SOC 2 Type II with HITRUST CSF Criteria – A SOC 2 Type II audit can be performed using the HITRUST controls and criteria instead of the Trust Services Criteria. In this case, the organization still receives a SOC 2 report, not HITRUST CSF certification.
SOC 2 Type II and HITRUST CSF Certification – When a SOC 2 Type II report and HITRUST CSF certification is required, organizations have the ability to combine these two audits into one effort. At the end of the audit process, the organization receives both a SOC 2 Type II audit report and HITRUST CSF validated report.
HITRUST CSF Self-Assessment – A HITRUST CSF self-assessment is a great way to begin your HITRUST compliance. This option is your own evaluation and attestation of your organization’s compliance, completed in 90 days, and culminating in a report.
HITRUST CSF Validated Assessment (Certification) – A HITRUST CSF validated assessment is performed by an approved CSF Assessor, like KirkpatrickPrice. Validated assessments include a HITRUST CSF self-assessment in which you answer questions and attest to your compliance, followed by a CSF Assessor validating your controls against what you have said is in place, and HITRUST granting certification.
How much does a HITRUST CSF assessment cost?
Pricing for HITRUST CSF assessments depends on scoping factors, including the number of applicable HITRUST requirement statements, applicable regulatory factors, complexity and size of the physical and technical environment, previous HITRUST history, the assessment type, third parties, number of records held, and if the assessment is combined with any other audits. Pricing will also vary based on the assessment and report type you choose, inclusion of a gap analysis, or inclusion of additional remediation time.
How long does a HITRUST CSF take to complete?
The timeline of a HITRUST CSF assessment varies based on the report type and how much remediation time is needed. After readiness preparation and in the case of HITRUST CSF certification, on average, it takes about nine weeks of working with an Information Security Auditor before you can submit your assessment to HITRUST for their review.
How long is a HITRUST CSF report valid? How often does a HITRUST CSF assessment need to be performed?
A HITRUST CSF validated report is valid for two years, but what sets the HITRUST CSF apart from other frameworks is that the audit process isn’t a one-time engagement. It’s a continuous work-in-progress to maintain compliance. Recognizing this, part of the HITRUST CSF certification process includes an interim assessment, a review that takes place exactly a year after the initial HITRUST CSF validated assessment takes place.