Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Are you ready to start working with a HITRUST External Assessor?

Sep 29, 2021

If your organization is considering pursuing HITRUST CSF® Certification, you probably know by now that it’s a considerable undertaking. But you may not have realized that preparation begins even before you engage a HITRUST Authorized External Assessor.

Being prepared comes with many benefits. It can save you in time and cost spent on the project, as well as effort on the part of your employees. By knowing what systems, policies, procedures, security, etc. you have in place, you can more easily and quickly answer your External Assessor’s questions, make decisions and keep the certification process moving forward on time.

But how do you know you’re ready to start working with an External Assessor?

Here are three signs you’re prepared:

1. You understand and can rate your existing organizational and technical security controls

The first step to preparing for your HITRUST assessment is simply knowing what security controls you have in place within your environment, how those controls stack up and where any gaps may be.

Before engaging a HITRUST assessor, you should have an understanding of what your organizational security controls are (e.g., security training, employee onboarding, compliance, physical security and penetration testing) as well as what your technical security controls are (e.g., access control, audit logging, antivirus, vulnerability scans, transmission security and encryption). Ideally, you would also understand where you have gaps in those controls and how to close those gaps and reduce your risk.

2. You understand whether your in-scope infrastructure is on-premises, cloud-based or hybrid, and what that means for your assessment

HITRUST requires you to gather evidence to prove you have proper controls in place. If you’re using a data center or a cloud-based provider, HITRUST will require evidence from them that they have proper controls in place around your organization’s data.

Before you engage an External Assessor, you should understand how many third-party vendors are part of your scope and how they interact with the systems within your scope. Will they cooperate in allowing tours of their space? Will they submit their policies, procedures and security assurance reports (e.g., SOC reports) to HITRUST to deliver the needed evidence? If their cooperation and responsiveness is low, that could hold up the certification process.

Certain cloud providers, such as Amazon and Microsoft, are already HITRUST certified, which means you can use inheritance to much more quickly and easily provide HITRUST with the evidence it requires.

3. You have a knowledgeable, available and authorized subject matter expert

Do you have a dedicated security officer? Or do you have other subject matter experts who can be actively involved in the HITRUST project?

Before you engage a HITRUST assessor, determine who this team of experts are. To keep the certification process running smoothly and on time, they will need to have these three qualities:

  • Knowledgeable: This person or group of people need to understand your organization’s environment, what your different systems are, how your organization operates, what the ins and outs of your policies and procedures are, how data is stored and gets from point A to B, etc. If they don’t know the answer to your External Assessor’s question, they should know who to go to.
  • Available: One thing that can really derail a HITRUST project is waiting for weeks at a time to get a response on open questions. You might have a person who has great knowledge and experience, but they’re far too busy to answer your External Assessor’s questions. If your organization is going to complete the assessment on time, they absolutely must be available to work with the External Assessor.
  • Authorized: Does this individual or team of people have the authority within your organization to make decisions and keep things moving internally? If your team has to go through people in other departments and levels of management to get decisions made or questions answered, that could result in project delays and cost you more money to get your assessment completed.

It can also help to have an executive sponsor involved. If the project’s primary contact within your organization does not have the authority to overcome a project roadblock, the executive sponsor has the ability and background knowledge necessary to assist. Plus, if there are issues that come up during the assessment that increase costs or extend the timeline, the executive sponsor will have been in the loop from the beginning.

Choosing the right HITRUST assessor

It’s never too early to start planning for your HITRUST CSF Certification — especially if you have a hard deadline or contractual requirements driving the project. If you aren’t fully prepared for your assessment, having a hard deadline in place introduces more risk into your project because the likelihood of delays increases. Also, the more complex your organization and its in-scope environment is, the longer the assessment will take.

Wipfli can help your organization prepare for your assessment. Our team is experienced in helping organizations define their systems, manage vendors, assess their environment and close control gaps, educate subject matter experts on their duties as the main project contacts and more. We also have policy and procedure templates that can help ensure you have the right documentation in place before your assessment begins. Click here to learn more.

Sign up to receive additional HITRUST-related content and information in your inbox, or continue reading on:


Jason J. Papador
View Profile