Requirement statements form the basis of a HITRUST assessment. The assessment’s requirement statements are the information protection requirements expected of each Assessed Entity.
Each requirement statement in an assessment includes specific illustrative procedures. The illustrative procedures provide additional context for evaluating the requirement statement at each maturity level (see Chapter 9 PRISMA Maturity Levels). The illustrative procedures should be leveraged by External Assessors to establish consistency and repeatability of its assessment procedures.
8.1.1 External Assessors must use the illustrative procedures as the basis for their more detailed assessment Test Plans (see Chapter 13.5 Test Plan) to evaluate the Assessed Entity’s compliance at each maturity level.
Requirement statements included in an assessment will vary based on the assessment type and/or responses to the factor questions. When an Assessed Entity responds to the factor questions within a r2 readiness or validated assessment, MyCSF either will add or remove requirement statements from that assessment based upon the corresponding inherent risk. Including optional Compliance Factor(s) in a r2 readiness or validated assessment will add additional requirement statements based upon mappings to the selected authoritative source (e.g., HIPAA, NIST 800-53, FedRAMP, etc.). After the factors have been entered into a r2 and an assessment is built, the Assessed Entity will have an assessment that contains its own set of unique requirement statements to be scored and tested in order to complete the assessment.
For i1 and e1 assessments, there are no scoping or compliance factors so the assessment will already include the requirement statements to be addressed during the assessment. These are based on pre-set controls that leverage security best practices and threat intelligence data.
Each requirement statement in an r2, i1, or e1 assessment contains one or more elements expected to be addressed during scoring and External Assessor testing. Depending on the type and version of the assessment, the location and enumeration of the elements may differ.
For r2 assessment types:
- CSF versions prior to 11.0: The evaluative elements are contained in the illustrative procedures for the Policy PRISMA level (these may not be enumerated in certain versions).
- CSF version 11.0: The evaluative elements are contained and enumerated in each requirement statement.
For all i1 and e1 assessment types, the evaluative elements are contained and enumerated in each requirement statement.
8.1.2 Regardless of the assessment type or CSF version, ALL evaluative elements in each requirement statement in an assessment must be addressed.