This article is part of a series detailing the seven key steps to anticipate on the path to HITRUST certification. Check out the second article in the series here.
HITRUST isn’t just a compliance checkbox. It is proof that your organization meets a high standard of security and risk management.
Certification requires a rigorous, evidence-based process that requires planning, cross-functional coordination, and genuine readiness. Certification isn’t simply given. It’s earned. Here are the first four of seven key steps in your journey to certification.
Step 1: Procure an Experienced Translator
HITRUST has its own language and if you don’t speak it, you’re traveling abroad without a reliable translator. You wouldn’t want to be stuck in a foreign country without a card showing your hotel address in different languages, and you wouldn’t want to get caught roaming the vast lands of the HITRUST CSF without a HITRUST Authorized External Assessor.
After all, they’re the one who ultimately submits validated assessments to HITRUST for quality review. That means they know the answers to the test that you will have to pass to obtain certification. Engaging an external assessor firm early on in your journey will save you and your team days of wandering unfamiliar areas for a semblance of familiarity.
Step 2: Define Scope and Objectives
- What systems, data, and services are in scope? While this is a seemingly simple first question, it is everything. In fact, for experienced external assessors, it’s only the first instance in which this question will be asked. It continues to be revisited time and time again throughout your HITRUST journey to ensure you’re doing the right amount of assurance – not too little nor too much.
- Is certification motivation driven by prospective or current customer demands, market positioning and enablement, or internal maturity factors?
- What level of assurance do you need? Minimal, moderate, or high?
- Choose your assessment type (e1, i1, r2, etc.) – check out our more detailed breakdown of the assessment types here. Know that many organizations treat the e1, i1, r2 certifications like a maturity ladder. It benefits your organization to do so, as with each step in the ladder you will experience more. More controls, more attributes, more associated fees – with the same rigor. So, start small if you can and get good at the basics like anything else.
- If you end up choosing the r2 path, you will be subject to a more elaborate scoping process where a handful of additional scoping factors (Organizational, Technical, Regulatory, etc.) are necessary to tailor your assessment.
How long does this phase take?
This phase is generally completed in a matter of weeks but does require some technical validation of your infrastructure and systems.
Step 3: Readiness Assessment
Before a validated assessment (certification), most organizations complete a readiness phase to:
- Perform a gap analysis against HITRUST CSF controls and identify missing policies, procedures, and technical proof. This is where you’ll work through the questions on the test to explain how you’ll answer it come validated assessment time. It’s a full walkthrough of your game plan, packed with a playbook on how to handle inevitable audibles in the thick of auditor testing.
- Prioritize remediation tasks by effort and risk. Controls are required to be “implemented” for 60-90 days, depending on the type of control, prior to initiating a validated assessment period. That is what HITRUST refers to as the “Incubation Period.” Therefore, it’s important to prioritize gap remediation to ensure your roadmap can be accomplished as efficiently as possible. Assessors should also be able to identify required gaps vs optional enhancements. The enhancement are things that are nice to have in the future, but not necessary to achieve compliance and certification now.
How long does this phase take?
This phase generally takes anywhere from 1 to 3 months, depending on the complexities of your infrastructure and systems.
Remediate and Align
This is where the heavy lifting happens. You’re now armed with the honey-do list of gaps to close, along with a prioritized roadmap. This phase is about executing the plan and checking back with your audit partner to ensure you did it the right way. In this phase, you will:
- Update or develop formal documentation – policies, procedures, standards, etc. Templates go a long way and good audit partner firms will have a library to get you started.
- Implement technical safeguards (MFA, logging & monitoring, encryption, etc.). This is a wide-ranging task, based on the number and type(s) of gaps previously identified. It could be as simple as enabling a dormant configuration to be as extensive as implementing a new SDLC process and supporting systems.
- Assign control owners, prepare evidence for each control, and align with your external assessor firm on its completeness and accuracy. Consider this an extension of the gap assessment that was previously completed to further validate that your newly remediated gaps are indeed remediated in the manner they’ll be tested.
- Develop testing efficiencies to allow for automated evidence collection and evaluation. Consider how you can integrate compliance and security operations in a continuous, systematic way, moving beyond point-in-time assessments to a model of continuous monitoring and risk mitigation. Good external assessor firms will be able to realize these efficiencies and relay discounts based on their own reduced audit efforts.
Step 4: 90-day Incubation Period
Once all of your readiness gaps have been closed and “implemented” (Congrats!) you get a free 90-day vacation. Well, sort of… HITRUST requires a 90-day “incubation period” for controls to be implemented (or 60 days for policies/procedures), before you can officially start your 90-examination period. In practice, you can begin that 90-day incubation clock as soon as the last gap is closed.
During this period of peace, it’s the perfect opportunity to book that HITRUST QA reservation. Once your assessment is scoped and loaded into MyCSF, you’ll be able to reserve a date on the HITRUST QA Team’s calendar, much like that of an online dinner reservation (the kind of one that takes your credit card preauthorization). This is a key step to ensure you meet your timeline as the HITRUST QA Team’s availability fluctuates based on demand. You don’t want to overpromise your delivery date if the QA team can’t meet your needs.
Additionally, the assessed entity can begin to work with the external assessor to preload MyCSF. While most of the controls will require time-stamped evidence from within your 90-day examination period, there’s still plenty your teams can do ahead of time to make the examination period run more smoothly. This includes tasks like:
- Answering all pre-assessment questions, organization information, assessment options, assessment scope, scoping factor.
- Drafting all requirement statements and completing the validated report agreement
- Validating your internal documentation paths to ensure smooth and possibly automated evidence collection
Our next article will share the final 3 steps to expect before you certify, including the 90-day examination period, quality assurance and certification, as well as a roadmap summarizing the full 7-phase lifecycle.
How Can Schneider Downs Help?
As an Authorized HITRUST External Assessor Firm, Schneider Downs has a strong track record with HITRUST protocols, providing trusted guidance and support throughout the certification process. For more information, contact our HITRUST team at [email protected].
About IT Risk Advisory
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
