In light of this new certification option, HITRUST is making just a few very small updates to the e1, i1, and r2 certification reports for assessments using v11.4.0 and later of the HITRUST CSF. The e1, i1, and r2 certification reports for assessments using v11.3.2 and earlier will not be changed.
In v11.4.0 and later, assessed entities will be asked to indicate which (if any) in-scope IT platforms feature AI capabilities (i.e., incorporate an AI model).
If any in-scope IT platforms do feature AI capabilities, the following will exist in the e1, i1, or r2 report. These two items will be present regardless of whether the assessed entity pursued the HITRUST AI Cybersecurity Certification.
- The report will indicate which in-scope IT platforms feature AI capabilities, alongside other inherent risk factor questions and responses (e.g., whether any in-scope IT platforms reside in the cloud).
- The report will indicate that the assessed entity may have a HITRUST AI security certification or validated report available.
If no in-scope IT platforms feature AI capabilities (i.e., incorporate an AI model), the report will indicate this fact alongside other inherent risk factor questions and responses.
Post your comment on this topic.