Learn why HITRUST readiness doesn’t have to cost you a full round of resources.
Fresh off the U.S. Open at Oakmont, it’s the perfect time to tee up your next HITRUST move. In our last article, we debunked some of the biggest myths keeping teams in the HITRUST sand trap. Now, it’s time to chart your course.
Many teams underestimate the terrain ahead on their HITRUST readiness course, until they’re buried in the rough with policy updates, access logs, and endless evidence reviews. But with the right strategy, you can stay on the fairway and keep your momentum all the way to certification.
Tip 1: Use Every Shot Already in Your Bag
A control overhaul might seem par for the course with each new control framework. With HITRUST, no need to reinvent the wheel, leverage the work your team already does. You likely already have controls in place, just not in HITRUST language.
- SOC 2? ISO 27001? PCI? Start by leveraging HITRUST’s authoritative source mappings and validate them to your exact controls
- Focus on policy maturity, control execution, and audit-ready documentation
- Go directly to the source of the certification – the requirement statement’s evaluative elements and their illustrative procedures. These are the answers to the test that you’ll ultimately take as part of the validated assessment (certification).
Tip 2: Automation – the Best Playing Partners
Automation and repeatability are your best playing mates. Let them help you.
- Use Governance, Risk, and Compliance (GRC) platforms, ticketing systems, and cloud-native tools to reduce manual effort.
- Automate alerts, evidence collection, and log reviews where possible. Ensure your external assessor firm is involved in this approach, too. A good firm will be able to relay the discounts that you realize through the efficiencies that you implement. I.e., good automation can lead to reduced assessor fees.
- Build a documentation repository early. It saves hours if not days later on.
Tip 3: Assign Captains for Each Hole
We’ve all been there – a last-minute scramble and we’re not talking golf. Well defined and clearly communicated responsibilities help spread the load and prevent any scrambles to gather evidence or meet deadlines.
- Designate a project manager or compliance lead
- Align specific controls to domain experts (IT, HR, Legal, DevOps)
- Avoid the burnout that comes from one person trying to “own” it all
Tip 4: Build Your Game One Hole at a Time
New frameworks can seem daunting – it’s important to remember that every course can be tackled with the right approach.
- Don’t boil the ocean. Start with foundational domains (Access Control, Change Management, Risk Management, etc.)
- Use a phased roadmap (90-day increments) with clear progress tracking
- Communicate wins early and often to keep stakeholders engaged
Tip 5: Bring in a Pro for the Tough Shots
Everyone’s game is different. Know when to consult your caddie or even have a pro take certain shots for you.
- Internal teams often don’t have bandwidth or HITRUST expertise, and that’s OK!
- Co-sourcing with a trusted advisor allows your team to stay focused on operations
- Advisors bring structure, tools, templates, and proven experience
Play the Long Game
Think of HITRUST as your championship round; it takes stamina, coordination, and strategy. But with the right swing mechanics, your team can navigate it confidently without letting morale or leadership’s patience bunker out.
Ready to lower your HITRUST handicap? Explore our HITRUST co-sourcing model to see how we support clients like you.
How Can Schneider Downs Help?
As an Authorized HITRUST External Assessor Firm, Schneider Downs has a strong track record with HITRUST protocols, providing trusted guidance and support throughout the certification process. For more information, contact our HITRUST team at: [email protected].
About IT Risk Advisory
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
