In addition to minor wording updates and clarification, the changes between version 1.1 and version 1.2 of the Assessment Handbook include the key modifications summarized in the table below.
| Chapter | Modification |
|---|---|
| 4.2 Validated Assessments | Added “In an i1 or e1 validated assessment, the requirement statement scores for any added authoritative sources do not impact scoring towards achievement of the underlying i1 or e1 certification.” to the 3rd paragraph (this is not a change from current process) |
| 6.5 Scope of the Assessment | Added criteria 6.5.2 to clarify that the scope entered into the scoping webform must align with the reported scope in the certification. |
| 6.7 Factors | Added 6.7.5 to clarify the current process around scoring for an i1 or e1 when an authoritative source is added as a factor. |
| 7.1 Assessment Scoping | Added a bullet to the top of the list of scoping considerations: “Expectations of the Assessed Entity’s security program by the Assessed Entity, stakeholders relying on the Assessed Entity, and general public”. |
| 7.2 Required Scope Components | 7.2.13: Added wording in the example to assist with interpretation. |
| 7.2 Required Scope Components | 7.2.15: Added a bullet to top of list of expectations when using a bastion host, jump server, or VDI and excluding those endpoints from testing. Note that this expectation that the technology is restricting data from leaving the environment is not a change from prior expectations. |
| 7.2 Required Scope Components | 7.2.16: Added “However, the technology they enable (e.g., USB devices, CD/DVD burners) should be considered when evaluating requirements within this domain.” at the end of the note around use of laptops to clarify. |
| 8.2 Alternate Controls | Added wording in this chapter to assist with interpretation. Updated wording from ‘compensating’ control to ‘alternate’ control to reflect that any variation in the control being applied must address the same risks the current control addresses. |
| 8.3 Not Applicable (N/A) Requirement Statements | Updated wording at the end of the chapter to include references to the new Appendix ‘A-20’. |
| 11.1 Testing Approach | 11.1.6: Added this criteria to reflect the current HITRUST evidence expectation when testing on-site observations. (this is not a change from current HITRUST QA expectations) |
| 11.3 Working Papers & Evidence | 11.3.8: Added “The evidence supporting any observation and/or inspection must be uploaded into MyCSF.” to clarify QA expectations. (not a change for current expected process) |
| 11.3 Working Papers & Evidence | Added section at the end of 11.3 titled “Evidence Generated by Intermediate Software Platforms” which includes additional criteria 11.3.17 through 11.3.26. This is new criteria providing guidance to External Assessors on the procedures which must be performed on evidence when it is generated and provided directly into MyCSF by the intermediate software platform. |
| 11.4 Population & Sampling | In paragraph above 11.4.7, changed ‘collection’ to ‘generation’. |
| 11.4 Population & Sampling | 11.4.7: Modified the criteria to avoid the use of only older evidence to validate operation of the control. Changes include: The minimum 90 day population must be consecutive days. Additional criteria to cover 180 days if entire population used is older than 180 days. Added example scenarios to further clarify. |
| 11.4 Population & Sampling | 11.4.7: Added a sentence to clarify and confirm that External Assessors may test “time-based” controls meeting this evidence criteria prior to the start of the fieldwork period. (not a change from current process) |
| 12.2 Reliance on Assessment Results Using Inheritance | 12.2.1: Updated wording to align the use of inheritance with the new status designations in a certification. |
| 12.2 Reliance on Assessment Results Using Inheritance | 12.2.4: New criteria restricting the use of internal inheritance on an expiring assessment without HITRUST approval. |
| 12.2 Reliance on Assessment Results Using Inheritance | 12.2.5: New criteria restricting the use of inheritance on identical assessment scopes and types to avoid continually extending a certification using inheritance. |
| 12.2 Reliance on Assessment Results Using Inheritance | 12.2.22: New criteria requiring an inheritance provider to use the latest HITRUST certification for inheritance (when there is more than one certification of an identical scope and assessment type). |
| 12.3 Reliance on Audits and/or Assessments Performed by a Third-Party | 12.3.4: Added a NOTE on the HITRUST expectation for relying on a third-party report when the report has not yet been issued but the audit has been completed. |
| 12.3 Reliance on Audits and/or Assessments Performed by a Third-Party | 12.3.8: Added an example. |
| 12.3 Reliance on Audits and/or Assessments Performed by a Third-Party | 12.3.10: Added ‘publicly available’ since HITRUST’s expectation of a professional standard is that it is widely available for the general public to review and/or utilize. |
| 12.3 Reliance on Audits and/or Assessments Performed by a Third-Party | 12.3.11: Added this new criteria to reflect that HITRUST may reject certain third-party reports if there are quality concerns on the performance of its auditors. |
| 13.9 CAPs and Gaps | 13.9.3: Removed the prior workflow diagram and added two new diagrams to reflect the two separate workflows for ai1 and ai2. (not a change from current workflow, prior diagram was incomplete) |
| 13.9 CAPs and Gaps | 13.9.9: Added this criteria to clarify the expectations when inheriting service provider scores resulting in CAPs. (not a change from current process) |
| 14.1 Quality Assurance Process | Updated ‘reviews’ to ‘re-performs’ in this chapter to reflect that a QA Analyst re-performs the work done by an External Assessor. |
| 15.1 HITRUST Reporting | Added a section titled “Certification Status” which includes new criteria 15.1.6 through 15.1.8. This describes each of the statuses which a certification may hold, and the expectations for each status. |
| 15.1 HITRUST Reporting | Under “HITRUST AI Security Assessment with Certification (ai1 or ai2)” section, included a link to the HITRUST AI certification help website. |
| 15.3 Security Events & Fraud | 15.3.1: Added a sentence with the notification process for a security event. |
| 15.3 Security Events & Fraud | 15.3.5: Added this criteria to describe what should be included when reporting a security event to HITRUST. |
| 15.4 Interim Assessment | 15.4.6: Added this criteria to require the External Assessor to notify and discuss with HITRUST when control degradation has been confirmed in an interim assessment. |
| 15.4 Interim Assessment | 15.4.12: Added this criteria to indicate that External Assessors may not submit interim assessments where testing of the sampled requirements has not been completed. |
| 15.4 Interim Assessment | 15.4.24: Added this criteria to reflect that Assessed Entity’s may perform an e1 or i1 assessment in lieu of an interim assessment (if it covers the same scope). |
| 15.5 Rapid Assessments | 15.5.10: Added this criteria to clarify when rapid assessments may be generated. (not a change in current process) |
| 15.6 Significant Changes | 15.6.3: Added additional wording to this criteria on information to consider and disclose to HITRUST to make the determination of a significant change. |
| 15.6 Significant Changes | 15.6.4: Added this criteria to confirm that Assessed Entities may immediately inherit from service providers rather than wait for the 90 day incubation period. |
| A-20: Never N/A Registry | An appendix which includes a list of core HITRUST requirement statements that are expected to never be scored as Not Applicable (N/A). |