Only in r2 assessments can organizations carve out third-party controls as not applicable if the responsibility lies entirely with a third party (e.g., inherited from a cloud provider).
In e1 and i1 assessments, carve-outs are not allowed because they are standardized, prescriptive frameworks.
Interim assessments are continuations of r2 certifications and do not allow carve-outs beyond the initial scope.
Extract Reference (HITRUST CSF Inheritance and Scoping Guidance [0116]):
Third-party carve-outs as N/A are only permitted in r2 assessments, as i1 and e1 follow prescriptive control sets.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit