WOLF & CO Insights HITRUST CSF: Roles & Responsibilities

HITRUST CSF: Roles & Responsibilities

Receiving HITRUST CSF certification will give your customers adequate assurance over your critical cybersecurity controls—enhancing customer loyalty, increasing your competitive edge in the market, and strengthening your reputation. To earn HITRUST certification, you must undergo a HITRUST assessment, during which a qualified HITRUST Assessor firm evaluates the quality of your policies, procedures, and implementation around each required HITRUST control.

Unlike other audits, an organization seeking HITRUST certification has many responsibilities that require diligent evaluation of operations, intense scrutiny of controls, and promptness to amend controls where necessary. From the Readiness Assessment to the validated audit, the road to HITRUST certification is a very hands-on process for an organization, and it’s imperative to have an experienced firm to help navigate this complicated endeavor.

Responsibilities of the Firm: What We’ll Do For You

As a qualified HITRUST Assessor firm, Wolf will first initiate a phone call to gain an understanding of your systems or applications that must meet HITRUST requirements. Through the review of system-specific documentation (such as network, architectural, and data flow diagrams), we’ll gain a holistic view of the systems your organizations wants to become HITRUST certified. With this, we’ll be able to determine the best timeframe and the best course of action during this process. From there, we’ll scope your organization using the HITRUST Scoping Factor questionnaire to determine other controls that must fulfill HITRUST requirements to achieve certification.

Policies & Procedures

There are two routes that can be taken during our evaluation of your policies and procedures.

  1. Firm Creates Policies and Procedures
  • If you don’t have your own written policies and procedures, our Virtual Chief Information Security Officer (vCISO) Advisory Services can assist in the development of HITRUST-compliant policies and procedures specified by your HITRUST requirements. We can also provide an outline for your procedures, which you can tailor to your organization’s unique operations. You’ll then send your procedure outline back to us. We’ll check your work to ensure you’re documenting (in adequate detail) the procedures for each control environment. This is a quick spot check to ensure you’re documenting procedures correctly.
  1. Organization Has Written Policies and Procedures
  • If you already have written policies and procedures, we’ll work with your team to identify how each specific policy and procedural statement satisfies each control environment. During this process, we’ll be able to expose any gaps that need to be remediated prior to the Validated Assessment.

Readiness Assessment

After policies and procedures have been developed for controls, we’ll conduct a Readiness Assessment, where we take a comprehensive look and identify any gaps in your policies and procedures. We’ll then provide a gap analysis report detailing what needs to be remediated and guidance on how to close these gaps.

Responsibilities of the Client: Your Path to Compliance

During the entire HITRUST certification process, your organization will have to:

  • Scope your environment to determine what controls require HITRUST certification prior to the Readiness Assessment
  • Amend your policies, procedures, and implementation to coincide with identified HITRUST gaps
  • Outline where all control environments are satisfied
  • Undergo a Readiness Assessment
  • Remediate any gaps identified in your controls

Make it Your Own

You must first scan your entire environment to analyze and document the policies and procedures for each control. Also, even if the firm writes the policies for the organization and provides a template for the procedures, you must tailor those templates to your specific business. The firm may be able to provide a foundation, but you must adapt it to fit your operations to become compliant. As the client, you must be completely invested in the process, which means dedicating a project manager or team to the audit.

What to Look For in a HITRUST Assessor Firm

HITRUST compliance can be arduous, but Wolf will work as a trusted partner throughout your journey to make it as seamless as possible and ensure you achieve certification.

From scoping and gap analyses, to policy creation and spot checks, we’ll prepare you for and streamline your HITRUST process. We also offer additional services to elevate your security and enhance your controls to bring you to the next level of HITRUST assurance. For instance, we offer additional vCISO Advisory and Business Continuity Planning (BCP) services to solidify your organization’s controls and increase your security posture.

What You’ll Receive with Wolf

  • A dedicated HITRUST assessor that will personally work with you every step of the way
  • Comprehensive workshops to walk you through the HITRUST audit prior to its execution
  • A detailed look at what a compliant HITRUST policy looks like
  • Fully written, compliant policies tailored to your organization
  • Detailed procedure templates
  • A comprehensive Readiness Assessment identifying specific gaps for remediation
  • Ongoing spot checks throughout the process to ensure progress and success
  • An in-depth review of all the controls in the scope of all 19 HITRUST domains
    • This report identifies gaps in the organization’s policies, procedures, or implementation. It’ll also state whether the organization needs to remediate the identified gaps.
  • An executive summary and a high-level overview of any major gaps and vulnerabilities found in the organization’s controls


A HITRUST CSF certification audit is comprehensive, extensive, and intensive—but we’re here to help. The effort required of your organization during this process can be overwhelming, but our collaborative approach will ensure that our experts are with you throughout to answer any questions or troubleshoot any obstacles encountered. With a streamlined engagement, expert advice, and comprehensive guidance, we’ll guide your organization to HITRUST certification.