Preparing for your HITRUST Validated Assessment is no small task. With a little bit of preparation, you can ensure that the assessment goes smoothly. Below are five things that you should prepare prior to your assessment.
You should designate one person as the key contact during the audit. This is the individual with whom the assessor will coordinate throughout the assessment. This individual should have access to other key personnel within the organization and be readily available to answer questions for the assessor. It may also be a good idea to schedule a weekly or bi-weekly meeting between the key contact and the external assessor. This ensures that the project stays on track and that questions are answered quickly.
Policies and Procedures
Each requirements statement requires an associated policy and procedure. Before your HITRUST Validated Assessment, ensure that your policies and procedures cover all in-scope requirements statements. Additionally, ensure that these documents have been approved within the last year and have the approval date and body listed. Finally, ensure that your policies and procedures are easily accessible so that you can provide them to your assessor.
Your external assessor will need to talk to members of your team in order to get a better understanding of your environment. Make sure that you coordinate with your assessor and your internal team early on in your audit. Some teams that the assessor may want to talk to at your SaaS company include:
- Security Governance
- Corporate IT
- Development and Operations
- Business Continuity, Disaster Recovery, and Incident Response
Many requirements statements require the assessor to look at a population to validate the implementation level. These populations may include all employees, all new hires within the last year, or all changes pushed to production in the last six months. You must ensure that you have access to these populations and that they are complete and up-to-date.
Within MyCSF (HITRUST’s assessment tool), you will need to set up several items prior to your external assessment. Some items to set up include:
- Subscription – Ensure that your MyCSF subscription supports a Validated Assessment and allows you to add as many individuals to your MyCSF assessment object as you need.
- Organization scope – The scope drives which requirements statements will be in the assessment. Typically completed prior to the Validated Assessment.
- Roles and permissions – You will need to allow auditors from the external assessor access to your MyCSF object in order for them to complete the Validated Assessment.
- Default Scoring Profile – The default scoring profile helps streamline the scoring of your assessment by applying a default score to each requirements statement.
With these items prepared ahead of time, your HITRUST Validated Assessment should go smoothly for both you and your external assessor. If you are interested in working with an internal assessor, or are still shopping for an external assessor, reach out to contact us and we would be happy to help!