Skip to content

HITRUST Assessment Handbook - Exposure Draft

The Assessment Handbook defines the requirements for organizations assessing their information protection programs against the HITRUST CSF through a readiness or validated assessment. The assessment handbook is intended to provide guidance and expectations of the assessment process to the HITRUST community.

HITRUST has published an exposure draft of the Assessment Handbook and invites all stakeholders to review and submit feedback by July 7, 2023.

The Assessment Handbook is not yet final and will not be enforced during the exposure draft review period. HITRUST will continue to enforce the existing guidance published within the HITRUST website (www.hitrustalliance.net).

HITRUST Assessment Handbook - Exposure Draft

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Provide comments here

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback

8 results found

  1. Homogenous applications for one population

    11.4 - for homogenous applications that are NOT in scope for HITRUST but fall in the population: e.g., change ticketing system and application change that is not in scope for hitrust is selected due to random sampling, is this allowed as a sample since process is same for all applications (that are in scope for hitrust)?

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  11. Testing & Evidence Requirements  ·  Admin →

  2. 11.4.10

    11.4.11 contradicts 11.4.10 - maybe add note 'with exception to 11.4.10'?

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  11. Testing & Evidence Requirements  ·  Admin →

  3. RE-Validated Populations

    11.4.10 - can you elaborate - ‘re-validated’ for accuracy of populations? Does the assessor have to re-request the pop? Or can we inquire or corroborate with client that no major changes have occurred with the pop?

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  11. Testing & Evidence Requirements  ·  Admin →

  4. Building a Test Plan

    11.2.6 - ‘building a test plan’. Building a test plan may involve discussion with a client to understand scope of that process. Can inquiry with client be allowed when building a test plan?

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  11. Testing & Evidence Requirements  ·  Admin →

  5. Test Workbook

    11.2.1 - Can you define test workbook or add to glossary? For example, is it interchangeably with a test plan.

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  11. Testing & Evidence Requirements  ·  Admin →

  6. 11.2.8 - Adding more context on the 90 day incubation period

    More context and/or examples for assessed entities to clearly understand what is meant by "newly implemented or remediated controls". This includes a control that was not in place, a deficiency being addressed, a significant change such as a migration, etc.

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  11. Testing & Evidence Requirements  ·  Admin →

  7. Additions to section 11

    • Pg. 44, 11.1.6: This appears to be a permanent change in approach to testing and so might warrant noting that this is different than onsite tested required pre-COVID
    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  11. Testing & Evidence Requirements  ·  Admin →

  8. old evidence

    For section 11.3 would it make sense to also mention that old evidence is not accepted, such as an assessed entity giving a screenshot from 9 months ago with timestamp of a configuration. It might have been provided to the assessor during the 90 day window but the evidence provided by the assessed entity is maybe an old screenshot they borrowed from their SOC 2, 9 months ago and as such that is not indicative of the current environment.

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  11. Testing & Evidence Requirements  ·  Admin →