Today, HITRUST is one of the most reputable and respected certifications to get assurance for your organization’s security and compliance posture, regardless of the industry. The certification offers numerous benefits, from effective risk management to easier trust-building and stakeholder assurance.

‍

The role of a HITRUST assessor is crucial to the successful completion of the framework. You’ll need to work closely with them throughout the certification process to pass HITRUST-mandated assessments and implement remedial solutions.

‍

Refer to our guide to get deeper insights into who HITRUST assessors are and what duties they perform. You’ll learn:

‍

• Basics of the HITRUST assessor role
• Requirements and qualifications
• Types of HITRUST assessors
• Tips for finding the right assessor

‍

What is a HITRUST assessor?

A HITRUST assessor is a firm or any other organization authorized by the HITRUST Alliance to provide assessment services related to the HITRUST Common Security Framework (CSF). When an assessed entity (in this case, your organization) completes a HITRUST self-assessment, the assessor’s main duty is to validate it and ensure your controls meet the HITRUST certification requirements.

‍

Since you can’t get HITRUST-certified without an assessor, you’ll need to find one early in your certification journey. However, their specific role and involvement in the process largely depend on your scoped controls.

‍

Another noteworthy point about the HITRUST assessor is that the firm can be both—the party that verifies and the one that can provide prescriptive guidance and remediation solutions when necessary. This makes the assessor more of an active enabler, and not a distant authoritative body.

‍

{{cta_withimage19="/cta-modules"}} | HITRUST Compliance Checklist

‍

HITRUST assessor: Qualifications and requirements

Each HITRUST assessor undergoes a stringent vetting process that includes training and accreditation. The vetting process includes an examination of various aspects, such as:

‍

• The assessor organization’s procedures and policies
• The backgrounds of individuals in charge of performing the assessments
• An assessor’s demonstration of their ability to perform successful assessments

‍

The HITRUST Alliance ensures assessors are familiar with the guidelines, techniques, and methodologies for effective assessments. Each assessor within an assessor organization can receive one of the following individual-level accreditations:

‍

1. Certified CSF Practitioner or CCSFP: An individual who completed the CCSFP training and certification exam and who typically works at an external assessor organization. They might work for the assessed entity directly or provide HITRUST consulting services.
2. Certified HITRUST Quality Professional or CHQP: An individual who works in the quality assurance (QA) role and is typically employed by an external assessor organization. CHQPs primarily review potential discrepancies or documentation issues in a validated assessment before it’s submitted to HITRUST.

‍

HITRUST assessors are expected to maintain their knowledge of the framework’s updates continuously. They should have a thorough understanding of extensive resources like the HITRUST Assessment Handbook to provide sound technical and procedural expertise.

‍

Types of HITRUST assessors

According to their specific role in the certification process, HITRUST assessors can be split into two categories:

‍

1. External
2. Internal

‍

Let’s understand the key differences below.

‍

1. External assessors

External assessors are organizations that HITRUST has approved to provide services related to validated assessments. After you’ve self-assessed your in-scope controls, external assessors review them by examining proof that they meet HITRUST’s standards.

‍

To perform HITRUST audits, an external assessor organization needs to employ at least five CCSFPs and two CHQPs. The CCSFP designation is necessary for the key team members involved in the assessment process. The following table outlines the key stakeholders in the engagement:

‍

‍

External assessors perform other general tasks as part of the assessment workflow—examples:

‍

• Observing the existence and performance of in-scope controls
• Inspecting an assessed entity’s policies and procedures
• Analyzing relationships, trends, and anomalies in datasets

‍

2. Internal assessors

Internal assessors are either in-house experts or outsourced professionals in charge of performing the voluntary HITRUST readiness assessment.

‍

Unlike a validated assessment, a readiness assessment isn’t reviewed by HITRUST. It’s mainly used to conduct a gap assessment and get an organization’s controls ready for the validated assessment.

‍

An internal assessor team should ideally include at least two CCSFPs authorized by HITRUST. Individuals who want to serve as internal assessors must complete and submit an application form to HITRUST. The form contains questions regarding the applicant’s qualifications, as well as the specific functions that will be performed.

‍

If your HITRUST assessment workflow includes an internal assessor, it can look like this:

‍

1. You perform a self-assessment according to the in-scope HITRUST requirements
2. An internal assessor reviews the assessment
3. They identify and provide guidance for remediating any gaps
4. You remediate the gaps and pursue a validated assessment
5. An external assessor reviews the validated assessment and submits it for quality assurance

‍

An external assessor typically relies on the internal assessor’s testing, which expedites the overall certification timeline.

‍

{{cta_webinar3="/cta-modules"}} | Choosing the right HITRUST certification level and streamlining implementation

‍

How to choose the right HITRUST assessor

Numerous organizations are authorized by HITRUST to perform assessment services. To find the best one, follow these tips:

‍

1. Understand your assessment needs
2. Assess their expertise and track record
3. Consider an assessor’s software solutions
4. Review the pricing structure and complementary benefits (if any)

‍

1. Understand your assessment needs

The first step to choosing an assessor is determining your assessment scope. You should see whether you’ll need a thorough readiness assessment or if you can pursue the validated assessment directly.

‍

If you don’t have prior experience with the HITRUST framework, it’s best to work with an internal assessor to prioritize a readiness assessment. This will help you assess and improve your security posture, so you’re confident about undergoing the validated assessment.

‍

2. Assess their expertise and track record

HITRUST offers three assessment levels that may influence your choice of assessors:

‍

1. e1: Entry-level assessment with 44 critical controls necessary for basic security
2. i1: More comprehensive assessment including 187 controls
3. r2: The highest assessment level with custom controls based on an organization’s risk profile (out of 2,000+ controls in total)

‍

The breadth of the assessor’s responsibilities gradually increases with each assessment level. Some assessors specialize in specific levels, while others offer comprehensive coverage of all. If you plan on pursuing higher certification levels, particularly r2, make sure your assessor has a proven track record of handling complex HITRUST assignments.

‍

It’s also worth asking if your potential assessor has experience working with frameworks in your industry. HITRUST compliance maps the requirements of 50+ major regulations and standards across industries. It’d help if your assessor is familiar with the regulations applicable to you.

‍

3. Consider an assessor’s software solutions

Software solutions can make or break your experience with HITRUST certification. If your or your assessor’s organization relies on manual, disparate systems, activities like evidence collection and control scoping can be tedious and time-consuming.

‍

To avoid potential inefficiencies, ask the assessor about their tech stack. Ideally, they’ll leverage an automation solution to streamline security reviews, gap assessments, and other procedural tasks throughout the readiness or validated assessment process. Real-time visibility of your HITRUST certification progress is another aspect you should discuss with a potential assessor.

‍

{{cta_withimage19="/cta-modules"}} | HITRUST Compliance Checklist

‍

4. Review the pricing structure and complementary benefits (if any)

The costs of HITRUST certification can add up in the form of conducting additional security reviews and implementing remediation controls. While an internal assessor can help minimize such additional costs, you may want to review if their services are reasonably priced.

‍

Some assessors charge a fixed amount, while others offer scope-based pricing. The latter is often preferred because it ensures you’re only paying for the assessment areas applicable to you. You can also analyze if the assessor provides other complementary services, such as:

‍

• Development of a HITRUST certification roadmap
• Documentation and employee training support
• Guidance for continuous improvement

‍

Keep in mind that the cost isn’t a deal-breaker here. Sometimes, it might pay off to invest more if a reputable assessor can ensure smoother assessments.

‍

Vanta: Your trusted HITRUST partner

If you’re looking for a software solution that streamlines HITRUST certification workflows for you and your assessor, Vanta is the answer.

‍

Vanta is a comprehensive trust management platform that automates up to 80% of HITRUST certification requirements. As HITRUST’s official automation partner, Vanta offers prebuilt and vetted e1, i1, and r2 frameworks to help you track and complete HITRUST requirements from one place.

‍

Some key functionalities of the platform that save significant time and resources include:

‍

• Automated evidence collection powered by over 350 integrations
• Centralized tracking of HITRUST requirements with actionable guidance
• Automated gap assessments
• Cross-referencing with other supported frameworks to minimize duplicative work
• Integration with the HITRUST MyCSF platform for seamless compliance management
• 200+ support resources like controls, tests, and policy templates

‍

Watch this free webinar to explore Vanta’s HITRUST solution—or you can also request a demo here.

‍

Find your HITRUST assessor with Vanta

Vanta also partners with reputable audit firms to help you find the right assessor for your organization. Tap into Vanta’s partner network to discover HITRUST-vetted assessors that can guide you through the certification process.

‍

{{cta_simple16="/cta-modules"}} | HITRUST product page

‍