Assessment Handbook
1.1
1.1
Table of Contents
Assessment Handbook
1.1
Assessment Handbook — 1.1
1. Introduction
2. Background
3. Roles & Responsibilities
3.1 Assessed Entity
3.2 Assessors
3.3 Independence Requirements
4. Assessment Types
4.1 Readiness Assessments
4.2 Validated Assessments
5. HITRUST Assessment Workflow
5.1 r2 Validated Assessment Workflow
5.2 i1 and e1 Validated Assessment Workflow
5.3 r2 Readiness Assessment Workflow
5.4 i1 & e1 Readiness Assessment Workflow
5.5 Interim and Bridge Assessment Workflow
5.6 Assessment Status Dashboards
5.7 MyCSF Assessment Status Notifications
6. Pre-Assessment
6.1 Pre-Assessment Webforms
6.2 Name & Security
6.3 Assessment Options
6.4 Organization Information
6.5 Scope of the Assessment
6.6 Default Scoring Profile
6.7 Factors
7. Scoping the Assessment
7.1 Assessment Scoping
7.2 Required Scope Components
7.3 Carve-outs
8. Requirement Statements
8.1 Requirement Statement Background
8.2 Alternate Controls
8.3 Not Applicable (N/A) Requirement Statements
9. Control Maturity Levels
9.1 Policy Maturity Level
9.2 Procedure Maturity Level
9.3 Implemented Maturity Level
9.4 Measured Maturity Level
9.5 Managed Maturity Level
10. HITRUST Scoring Rubric
10.1 HITRUST Scoring
11. Testing & Evidence Requirements
11.1 Testing Approach
11.2 Testing Requirements
11.3 Working Papers & Evidence
11.4 Population & Sampling
11.5 Documenting Exceptions
12. Reliance & Third-Party Coverage
12.1 Third-Party Coverage
12.2 Reliance on Assessment Results Using Inheritance
12.3 Reliance on Audits and/or Assessments Performed by a Third-Party
12.4 Reliance on Testing Performed by the Assessed Entity (i.e., Internal Assessors)
12.5 Direct Testing of Third-Party Controls
13. Assessment Submission Process
13.1 Quality Assurance (QA) Reservation
13.2 Audits and Assessments Utilized
13.3 Validated Report Agreement
13.4 Automated Quality Checks
13.5 Test Plan
13.6 External Assessor Time Sheet
13.7 QA Checklist
13.8 Management Representation Letter
13.9 CAPs and Gaps
13.10 Check-in Process
13.11 Addressing Check-in Tasks
14. Undergoing Quality Assurance (QA)
14.1 Quality Assurance Process
14.2 QA Tasks
14.3 Live QA
14.4 Escalated QA
15. Reporting & Maintaining a HITRUST Certification
15.1 HITRUST Reporting
15.2 Report Re-Issuance
15.3 Security Events & Fraud
15.4 Interim Assessment
15.5 Rapid Assessments
15.6 Significant Changes
15.7 Re-certification
15.8 Bridge Assessments
15.9 Emerging Mitigation Process (EMP)
15.10 HITRUST Treatment of Non-compliance
Appendix A: FAQs & Examples
A-1: Carve-out Scoring Details
A-2: Mixed Applicability Errors
A-3: Not Applicable (N/A) Examples
A-4: Never N/A Examples
A-5: N/A Decision Tree
A-6: Rubric Scoring – Policy, Procedure, and Implemented
A-7: Rubric Scoring – Measured and Managed
A-8: Testing & Evidence FAQs & Examples
A-9: Off-site Validation Procedures
A-10: Policy & Procedure FAQs & Examples
A-11: Automated Control Testing Example
A-12: Inheritance FAQs & Examples
A-13: Well-written CAP Examples
A-14: Scoping Approaches
A-15: Certification Threshold Scoring Examples
A-16: Sample-based Testing Examples
A-17: Expected AI Expertise for External Assessors
A-18: Example Add-on Certification Approach for Existing HITRUST Certifications
A-19: AI Security Certification Eligibility
Appendix B: Summary of Changes
B-1: Version 1.0
B-2: Version 1.1
10. HITRUST Scoring Rubric
9.5 Managed Maturity Level
10.1 HITRUST Scoring
This page is intentionally left blank.
9.5 Managed Maturity Level
10.1 HITRUST Scoring
