For i1 and e1 validated assessments, the External Assessors and Assessed Entities have two options to address situations in which a requirement statement is fully or partially performed by a service provider (such as by a cloud service provider):
- The Inclusive method, whereby requirement statements performed by the service provider are included within the HITRUST assessment and addressed utilizing full or partial inheritance, reliance on third-party assurance reports, and/or direct testing (see Chapter 12 Reliance & Third-Party Coverage for additional details).
- The Carve-out method, whereby requirement statements performed by the service provider remain included within the HITRUST assessment but marked as Not Applicable (N/A). The N/A includes supporting commentary that specifies that the requirement statement is fully performed by a party other than the Assessed Entity (for fully outsourced controls) or describes the excluded partial performance of the control (for partially outsourced controls).
NOTE: For all r2 assessments, the inclusive method must be used.
For i1 and e1 validated assessments utilizing the Carve-Out method, the Scope of the Assessment details within MyCSF will be updated to reflect the carve-out. For example, under the “Services Outsourced for In-Scope Platforms and Facilities” table, the Assessed Entity and/or the External Assessor will select “Excluded” from a “Consideration in this Assessment” dropdown menu.
Applying the inclusive and carve-out methods for the same service provider within the same assessment object is not permitted (see Chapter 7.3 Carve-outs). Therefore, only one method can be selected for each service provider relevant to the Assessed Entity’s assessment scope.
For example, if an Assessed Entity’s infrastructure is hosted and managed by a CSP within an i1 or e1 assessment object, it may decide to carve-out the CSP. In this case, the following must be updated within the assessment object.
- Scope of the Assessment – In the “Platforms / Systems” table, the “Exclusions from Scope” column must be updated to reference the CSP.
- Scope of the Assessment – In the “Services Outsourced for In-scope Platforms and Facilities” table, the CSP must be added and “Excluded” should be selected within the menu dropdown in the “Consideration in this Assessment” column.
- All requirement statements that the CSP fully manages will be marked Not Applicable (N/A), and the rationale should always note that the CSP is out of scope due to the carve-out approach.
- For all requirement statements the excluded CSP partially manages, the Assessed Entity will assess and score its percentage and N/A the CSP portion.