Halfway through an r2 assessment, management asks to add six implemented systems to the scope of primary components. What would the assessor need to do within MyCSF?
A.
Revert all Requirement Statements completed by the assessor so the client can consider control impact
B.
Update the "Scope of the Assessment" tab in the assessment object
C.
Remove all authoritative sources added to the assessment object
If management decides to add new systems mid-assessment, the assessor must ensure the assessment scope and related requirement statements reflect the change. In MyCSF, this means two actions: first, reverting all completed Requirement Statements so that the client can review and adjust responses for any new control impacts. Second, the assessor must update the “Scope of the Assessment” tab to include the new systems. This ensures that MyCSF recalculates applicable requirements based on the expanded scope. Removing authoritative sources or requesting a Bridge Certificate would not address this situation, as authoritative sources are regulatory mappings and bridge certificates are only used to extend certifications temporarily.
[References: HITRUST CSF Assurance Methodology – “Adjusting Scope During Assessments”; CCSFP Practitioner Guide – “Scope Changes in MyCSF.”, , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit