The HITRUST Alliance places a great deal of reliability on the CSF assessors that perform the validated assessments necessary for pursuing HITRUST certification. Given the level of reliance, it is understandable why HITRUST requires a rigorous application process for becoming a CSF assessor.
In order to even be considered for application purposes, an organization has to provide the HITRUST Alliance a series of methodology and required experience fulfillments for review. The individual employees within the organization that are listed on the application to perform the HITRUST assessments must have minimum experience levels within both IT security compliance and healthcare compliance as part of their professional resume. Even after acceptance and approval of the organization’s application to become a CSF assessor, the application remains contingent upon the employees’ completion of HITRUST practitioner training and their successful acquisition of the certified CSF practitioner certification by passing its required exam.
All the individual CSF practitioners that obtain their certification must undergo annual refresher training courses each year, and full training and recertification courses every three years. The HITRUST Alliance performs audits of its CSF assessor organizations to ensure that these training requirements have been fulfilled.
Once all of the requirements for becoming a CSF assessor organization are met, there are additional compliance requirements that must also be met during the performance of validated assessments. HITRUST mandates that a minimum percentage of auditors participating in a validated assessment must be certified CSF practitioners. This percentage level is currently 75%.
It is also important to understand that any HITRUST practitioner that is performing invalidated assessment cannot assist in the design or implementation of any controls necessary to satisfy HITRUST requirements. That violation of independence could result in a failed assessment overall
Now that you have an understanding of some of the hurdles an organization must go through to become a CSF assessor, it is also important to consider the assessors’ individual methodologies and processes that are used when performing assessments. During your vetting or proposal process for selecting a CSF assessor, make sure that you are comfortable with the assessors’ experience levels and their history of providing quality service for their clients. The process for becoming CSF certified is long and arduous, so having a partner that is both qualified and compatible with your organization’s team can be a critical factor in your success.