HITRUST Requirement for "Independent Review of Information Security" Causes Questions

Photo by Mike van Schoonderwalt from Pexels

Organizations preparing for HITRUST certification typically have questions around Control Reference 05.h Independent Review of Information Security: "The organization's approach to managing information security and its implementation (control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, at a minimum annually, or when significant changes to the security implementation occur."

The first question is typically: Does the requirement for an "independent" review necessitate hiring external auditors? The second question is often: How does this differ from other review requirements?

Defining independent: The first question is easy. "The review ... is carried out by individuals independent of the area under review (e.g. the internal audit function, an independent manager or a third-party organization specializing in such reviews," according to the Level 1 notes for 05.h in the Cyber Security Framework (CSF). In addition, the HITRUST glossary defines Independent as "With respect to an assessor or measure, one that is not influenced by the person or entity that is responsible for the implementation of the requirement/control being evaluated or measured." So an independent review can be conducted either by staff in a separate department or on a separate team from the function being reviewed, or by an external team. 

"Review of the organization's approach to managing information security and its implementation:"  Baseline requirements are a subset of 700+ potential HITRUST controls selected for the organization based on its answer to scoping questions. At a minimum, in addition to independent review, baseline requirements for assessments or reviews typically include:

1. A HITRUST validated assessment (recertification) every other year.
2. A HITRUST interim assessment on the alternating years.
3. An annual review of the Information Security Management Program (ISMP) or set of information security policies.(Control Reference 00.a Information Security Management Program).
4. A Risk Assessment on the scoped environment that addresses all HITRUST domains (Control Reference 03.b Performing Risk Assessments). 
5. Penetration testing (Control Reference 10.m Control of Technical Vulnerabilities).

In addition, these organizations may also be subject to SOC, PCI-DSS, ISO27001, or other independent reviews with scopes that may or may not exactly line up with the HITRUST scope.

So how does the independent review add to or fit with other assessment requirements? The answer to that question depends on the baseline requirements selected for that organization. In addition to the baseline requirements tatements, organizations should also look at the "illustrative procedure" (IP) language for selected 05.h baseline requirements to understand how they are being tested. (Organizations can export a spreadsheet from the reporting section of MyCSF that includes the baseline requirements and the IP language for each requirement for the areas HITRUST auditors will be assessing: policy, process/procedure, implemented, and sometimes managed and measured.) With a solid understanding of the organization-specific controls, the organization must consider whether existing assessment efforts are sufficient. If no gaps are present, an organization may  create an assurance plan specifying how the independent review requirements are met by existing efforts instead of performing an additional review. Any baseline requirements that aren't already met must also be addressed.

Keep in mind that if an organization wants to achieve HITRUST certification with efficiency, it should not consider the HITRUST CSF as equivalent to its scope. Not all CSF  "Implementation Requirements" apply for every organization. Organizations should set aside the CSF and primarily focus on their baseline requirements and IPs. The CSF should be reviewed only for context only.