For r2, i1, or e1 assessments, organizations may choose to perform a readiness assessment using the standard methodology, requirements, and tools provided under the HITRUST Assurance Program. HITRUST does not perform a quality assurance review of the results of the readiness assessment. A readiness assessment is useful for Assessed Entities to identify and remediate gaps prior to performance of a validated assessment and demonstrate progress towards assessment milestones.
For r2 readiness assessments, the organization being assessed first completes a risk-based scoping questionnaire within MyCSF that drives control selection and assessment scope based on general, organizational, geographical, systematic, and regulatory risk factors. Upon completion of the scoping questionnaire, a customized set of HITRUST CSF control references and requirement statements are automatically generated. For an i1 or e1 readiness assessment the requirement statements are pre-defined.
The Assessed Entity, or its designee, enters responses for each requirement statement and determines the level of compliance for each of the five PRISMA-based maturity levels for the r2 and the Implemented maturity level for the i1 or e1 (see Chapter 9 PRISMA Maturity Levels for additional information on the PRISMA maturity levels). The Assessed Entity, or its designee, also may generate and/or respond to corresponding Corrective Action Plans (CAPs)/Gaps within the assessment.
Once the Assessed Entity, or its designee, has determined and entered compliance scores for the corresponding PRISMA maturity level across all requirement statements, the Assessed Entity may submit the populated MyCSF object to HITRUST for report generation. This is an optional step, as Assessed Entities may choose to perform the readiness work to identify their gaps and may not require the final report. Please note that readiness assessments do not undergo HITRUST Quality Assurance review so they will have a lower level of rely-ability. For additional information on utilizing HITRUST reports to manage vendor risk, see additional information within the HITRUST Third-Party Risk Management Program.