This update adds clarification on timing, scope, and documentation requirements for relying on the results of previously-performed control testing, for both inheriting the results of other HITRUST CSF Assessments and relying on audit reports and certifications issued by third-party assessors, such as SOC 2. Specifically, when placing reliance on a third-party audit report, new requirements state:
- In order to place reliance on a third-party audit report, both the External Assessor and HITRUST must be authorized recipients of the report.
- When designing a reliance strategy, the External Assessor must perform a mapping between the HITRUST CSF requirements and the testing in the third-party audit report. This mapping, which is also provided to HITRUST, ensures a meaningful reliance strategy and demonstrates the basis for reliance on the third-party audit report.
Third-party reports can be relied upon for up to 1 year, as determined by comparing the HITRUST validated assessment fieldwork start date to the period end date for period-of-time reports or the final report date for point-in-time reports or forward-looking certifications.
What does this mean for assessed organizations?
The option to leverage results of other HITRUST CSF Assessments and third-party audit reports and certifications performed within the prior year remains a viable option to achieve assessment efficiency and potential cost savings. This update is intended to provide additional clarity and transparency about the expectations and prevent any over-reliance or unwarranted reliance on the work of others. Organizations will need to ensure the External Assessor and HITRUST are authorized receipts of the report. External Assessors remain accountable for validating the implementation of the HITRUST CSF Assessment and will need to perform sufficient review, mapping, and documentation efforts to ensure all reliance is appropriate.
When is this effective?
This change is effective on all assessment objects submitted and accepted on or after December 31, 2019.