HITRUST issues guidance for relying on work of internal audit departments in CSF assessments
HITRUST, a leading data protection standards development and certification organization, released updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. These policy and methodology updates create opportunities for greater assessment efficiency and customer cost savings.
HITRUST has historically afforded two opportunities for External Assessors (formerly referred to as HITRUST CSF Assessors) to rely on the results of previously performed control testing, one being Inheritance of the results of other HITRUST CSF Assessments, and the other reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program.
The recently released updates clarify these options by specifying associated timing, scope, and documentation requirements.
These updates also introduce opportunities for Internal Audit or other departments, meeting specific objectivity and resource qualification requirements, to directly participate and support the CSF Assessment process, more specifically creating a new role in the CSF Assurance process called Internal Assessor.
Internal Assessors will aid in the CSF Assessment process by performing testing and verification on various aspects of the process. External Assessors will now have the option of relying on work performed by an assessed entity’s Internal Assessors, which not only creates efficiencies and cost savings, but also greater organizational alignment as it relates to information security and privacy control requirements.
The Internal Assessor role in the CSF Assurance process will bring benefits to both External Assessors and assessed entities:
- Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their assessor can be reduced.
- Teams with deep knowledge of the organization’s internal controls (such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.
“Integrating Internal Audit teams into the CSF Assessment process can be very beneficial for organizations,” says Ken Vander Wal, Chief Compliance Officer, HITRUST. “In addition to the efficiency, time, and cost savings, it can better align information security and compliance across the organization.”