HITRUST CSF™ Assessments

Have you received a letter from a top client indicating that you must become HITRUST CSF certified? Are you looking for a security and privacy framework that leverages other existing security requirements? The HITRUST CSF is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The HITRUST CSF was built on the primary principles of ISO 27001/27002 and has evolved to align with a growing number of standards, regulations, and business requirements, including HIPAA, PCI DSS, NIST 800-53/800-171, GDPR, FTC Red Flags Rule, several state requirements, and more.

HITRUST CSF Assessments

Why Work with KirkpatrickPrice?

Going through a HITRUST CSF assessment can be overwhelming and challenging, but when you partner with KirkpatrickPrice, it doesn’t have to be. KirkpatrickPrice is an authorized CSF Assessor with KirkpatrickPrice’s Information Security Auditors who are senior-level experts across many disciplines, holding certifications like CCSFP, CISSP, and CISA. Contact KirkpatrickPrice today for help with establishing a relationship with HITRUST and getting started on your HITRUST compliance journey.

HITRUST CSF FAQs

What are the different types of HITRUST CSF assessments?

Choosing what type of HITRUST CSF assessment to do can be a daunting task, especially when an organization is doing this audit for the first time. HITRUST CSF assessment options include:

SOC 2 Type II with HITRUST CSF Mapping – A SOC 2 Type II with HITRUST CSF mapping is an assessment that came from a collaboration between the AICPA and HITRUST. This assessment culminates in a SOC 2 report that includes a table that maps the selected Trust Services Criteria to HITRUST CSF controls.

SOC 2 Type II with HITRUST CSF Criteria – A SOC 2 Type II audit can be performed using the HITRUST controls and criteria instead of the Trust Services Criteria. In this case, the organization still receives a SOC 2 report, not HITRUST CSF certification.

SOC 2 Type II and HITRUST CSF Certification – When a SOC 2 Type II report and HITRUST CSF certification is required, organizations have the ability to combine these two audits into one effort. At the end of the audit process, the organization receive both a SOC 2 Type II audit report and HITRUST CSF validated report.

HITRUST CSF Self-Assessment – A HITRUST CSF self-assessment is a great way to begin your HITRUST compliance. This option is your own evaluation and attestation of your organization’s compliance, completed in 90 days and culminating in a report.

HITRUST CSF Validated Assessment (Certification) – A HITRUST CSF validated assessment is performed by an approved CSF Assessor, like KirkpatrickPrice. Validated assessments include a HITRUST CSF self-assessment in which you answer questions and attest to your compliance, followed by a CSF Assessor validating your controls against what you have said is in place, and HITRUST granting certification.

How much does a HITRUST CSF assessment cost?

Pricing for HITRUST CSF assessments depends on scoping factors, including the number of applicable HITRUST requirement statements, applicable regulatory factors, complexity and size of the physical and technical environment, previous HITRUST history, the assessment type, third parties, number of records held, and if the assessment is combined with any other audits. Pricing will also vary based on the assessment and report type you choose, inclusion of a gap analysis, or inclusion of additional remediation time.

How long does a HITRUST CSF take to complete?

The timeline of a HITRUST CSF assessment varies based on the report type and how much remediation time is needed. After readiness preparation and in the case of HITRUST CSF certification, on average, it takes about nine weeks of working with an Information Security Auditor before you can submit your assessment to HITRUST for their review.

How long is a HITRUST CSF report valid? How often does a HITRUST CSF assessment need to be performed?

A HITRUST CSF validated report is valid for two years, but what sets the HITRUST CSF apart from other frameworks is that the audit process isn’t a one-time engagement. It’s a continuous work-in-progress to maintain compliance. Recognizing this, part of the HITRUST CSF certification process includes an interim assessment, a review that takes place exactly a year after the initial HITRUST CSF validated assessment takes place.

Click for More HITRUST CSF FAQs

What is a HITRUST Interim Assessment?

How do you a scope a HITRUST CSF assessment?

Who is involved in a HITRUST CSF assessment?

Is HITRUST only for the healthcare industry?

What’s the difference between HIPAA and HITRUST?

How Could a HITRUST CSF Assessment Benefit Your Organization?

HITRUST CSF certification demonstrates a high level of due diligence that you are doing everything you possibly can to protect the data for which you are responsible. If you’re managing sensitive data, it’s critical to protect yourself from risk in order to maintain a strong relationship with your clients who are also trying to mitigate their risks.

HITRUST CSF Validated Security Assessment Report