Skip to content

HITRUST Assessment Handbook - Exposure Draft

The Assessment Handbook defines the requirements for organizations assessing their information protection programs against the HITRUST CSF through a readiness or validated assessment. The assessment handbook is intended to provide guidance and expectations of the assessment process to the HITRUST community.

HITRUST has published an exposure draft of the Assessment Handbook and invites all stakeholders to review and submit feedback by July 7, 2023.

The Assessment Handbook is not yet final and will not be enforced during the exposure draft review period. HITRUST will continue to enforce the existing guidance published within the HITRUST website (www.hitrustalliance.net).

HITRUST Assessment Handbook - Exposure Draft

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Provide comments here

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback

2 results found

  1. Internal Inheritance

    12.2.1: Internal Inheritance, “Only full cross-version control inheritance is supported when using internal inheritance.” Comment: Why not allow partial internal inheritance? (Example: For a large entity with many business units, the scope of the assessment may be broken up into Year 1 and Year 2 looking at different sets of applications, however they still leverage the same SFTP/site server. We should be able to test once in Year 1 and then Partially inherit in Year 2 (control example: Transmission encryption. The separate part is in-scope applications, the same part is the SFTP site).

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  12. Reliance & Third-Party Coverage  ·  Admin →

  2. Inheritance section 12.2.5 lists the Targeted Assessment as a qualified inheriting assessment type.

    The Targeted assessment type should not be listed in section 12.2.5 because can't produce a validated assessment.

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  12. Reliance & Third-Party Coverage  ·  Admin →