What to Expect from Your First HITRUST CSF Assessment

by Sarah Harvey / June 22nd, 2018

First-Time HITRUST CSF Assessment

Have you been thinking about engaging in a HITRUST CSF assessment? Have you been approached about getting HITRUST CSF certified? Are you wondering what the timeframe for a HITRUST CSF assessment looks like? Do you want to learn about the responsibilities and expectations that you, your assessor, and HITRUST will face during an assessment? In this webinar, Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice, and Shannon Lane, Information Security Specialist with KirkpatrickPrice, will answer these questions and more to give you the steps needed to start your HITRUST CSF compliance journey.

How Can I Prepare for a HITRUST CSF Assessment?

For organizations that are just beginning their HITRUST CSF assessment journey, we suggest following these three steps:

  1. Identify Your Level of Readiness: What frameworks do you already follow – ISO 27001/27002, NIST 800-53, PCI DSS, SOC 1, or SOC 2? Do you have policies and procedures documented and in place? Are you starting with a HITRUST self-assessment? Is this your first compliance effort?
  2. Establish and Narrow Your Scope: Do you have a data inventory? Do you understand what data you have and how it moves? Do you have your data mapped? Do you have good data retention procedures? Do you understand where all of your data resides? How is it maintained? What compliance standards do you want to incorporate into our HITRUST CSF assessment?
  3. Determine the Assessment and Report Type Needed: What are your clients requiring of you? Are they asking you to have HITRUST CSF certification, a validated assessment, or self-assessment?

What is the Timeline for a HITRUST CSF Assessment?

The timeline for a first-time HITRUST CSF assessment varies depending on the level of maturity of your information security program. For organizations that have an immature information security program, we believe that the remediation period will and should take 180 days. For organizations with a more mature information security program, or organizations that have NIST, ISO, or PCI DSS controls in place, we believe that remediation periods could take about 60 days. Nevertheless, remediation periods ultimately depend on the time it takes to fix the issues identified during the gap period and self-assessment. If an organization rushes through a remediation period, they can still obtain a validated assessment, but the chances of becoming HITRUST CSF certified significantly decreases.

Download the full webinar to learn more about what you can expect from a first-time HITRUST CSF assessment. For more information about HITRUST CSF assessments and how KirkpatrickPrice can assist you in meeting your compliance goals, contact us today.