Skip to content

HITRUST Assessment Handbook - Exposure Draft

The Assessment Handbook defines the requirements for organizations assessing their information protection programs against the HITRUST CSF through a readiness or validated assessment. The assessment handbook is intended to provide guidance and expectations of the assessment process to the HITRUST community.

HITRUST has published an exposure draft of the Assessment Handbook and invites all stakeholders to review and submit feedback by July 7, 2023.

The Assessment Handbook is not yet final and will not be enforced during the exposure draft review period. HITRUST will continue to enforce the existing guidance published within the HITRUST website (www.hitrustalliance.net).

HITRUST Assessment Handbook - Exposure Draft

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Provide comments here

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback

4 results found

  1. 6.1.12- "R2 Assessments Only?"

    The Assessed Entity must select whether they will be including all CSF security controls within the assessment or only those required for certification, along with whether Privacy controls should be included in the Assessment. – Does this need to read, “for r2 assessments only.”

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  6. Pre-Assessment  ·  Admin →

  2. 6.1.21- Haven't we removed "Geographic Factors"

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  6. Pre-Assessment  ·  Admin →

  3. Additions to section 6 pt2

    • Addition to Organization/Company Background section Pg.28: We recommend that clients avoid using we, us, our, etc. If agreed this can be added to 6.1.15 and 6.1.17

    • Addition to Primary Mailing Address section Pg.29: In reference to the first bullet point "Platforms/Systems: The Platforms/Systems table should contain all platforms/systems contained within the scope of the assessment. " It would be nice to have an appendix added for each of these webforms would be helpful for the clients to get an idea of how much detail to share.

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  6. Pre-Assessment  ·  Admin →

  4. Additions to section 6

    • Pre-Assessment, pg.27 - there is an extra word, "of": "The following section outlines the six webforms of that comprise the pre-assessment.."
    • Pg.27 6.1.10 - the link is missing: "The Assessed Entity must select the CSF version to be used during the assessment. For additional information on the various versions of the CSF, see <insert link>."
    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  6. Pre-Assessment  ·  Admin →