Choosing the right HITRUST external assessor is a critical step in your compliance journey. The best auditing firms don’t just help you cross the finish line—they empower your organization to leverage compliance to build trust with customers, partners, and prospects.
When evaluating potential HITRUST assessors, look for signs that they’ll be a true partner to your organization, including demonstrable experience and expertise, flexibility and approachability, the ability to simplify complex topics, and a commitment to being a trusted advisor who actually cares about helping you improve your security posture.
1. Experience
Your HITRUST assessor should be able to demonstrate a strong track record of success and expertise related to your specific needs and challenges. This breadth of experience allows them to tailor their assessment approach, so you can better understand and remediate areas of concern and ensure your security program is ready to grow with your company.
One way to evaluate experience is to ask for client references and reach out for candid feedback. You can also take a look at the firm’s Net Promoter Score (NPS), which is based on clients’ likelihood of recommending the firm. A score over 80 is considered world-class.
BARR Advisory is proud to have ended 2024 with an annual NPS of 91, placing us in the top quartile in professional services and technology industries.
When evaluating HITRUST assessors, you should also ensure their auditing team is well-versed in HITRUST requirements and has the credentials to back it up, such as Certified Information Systems Auditor (CISA) and HITRUST Certified CSF Practitioner (CCSFP). At BARR, our team members hold multiple industry-recognized certifications like these and participate in frequent training to ensure we can offer the most relevant insights to help you navigate the current regulatory and threat landscapes.
2. Approachability
Effective auditing is a collaborative process, and your relationship with your HITRUST assessor should be built on trust and open communication.
A high-quality HITRUST assessor is approachable and committed to clear, human-first communication that cuts through the technical jargon to give you practical, actionable feedback. By placing an emphasis on understanding the people and processes behind the systems, an approachable HITRUST assessor can better tailor their observations and insights to your organization’s unique needs and goals, leading to more relevant and meaningful audit outcomes.
“The analogy I like to use is that we act as the lawyers to support an organization through the HITRUST certification process,” said Steve Ryan, senior attest services manager and head of healthcare services at BARR Advisory. “We take HITRUST’s prescriptive requirements and tailor them to meet what’s realistic for an organization. We then ensure HITRUST sees the approach to ensure that what is realistic to implement meets HITRUST requirements.”
Having an approachable auditor is also important because it ensures that your team feels comfortable seeking clarification, raising concerns, and discussing sensitive issues. The result is a smoother, more productive audit experience—one where your team feels supported, informed, and confident at every step of the process.
3. Simplicity
The best HITRUST external assessors can simplify the complex, demonstrating true mastery of the subject matter by communicating it clearly. Your auditors should be able to explain in layman’s terms how controls are evaluated against HITRUST requirements and why those controls are important for maintaining strong data security.
Simplicity is especially important at the outset of the engagement, so you can have a clear roadmap for what’s ahead.
By prioritizing clear, frequent communication, the best HITRUST external assessors take the unnecessary complexity out of HITRUST compliance, making it more accessible to organizations across all industries.
4. They Actually Care
An auditor who genuinely cares about helping you build long-term cyber resilience will go the extra mile to ensure you get the most value out of your audit. This includes taking the time to understand your company’s mission, values, and business objectives, and tailoring their approach to fit your unique circumstances. Look for a firm that will not only listen to your needs but also answer your questions and address your concerns candidly.
When your assessor cares about what they do, you reap the benefits not just during the audit, but also after it’s complete. Your auditor shouldn’t go away after the audit; instead, they should be your true partner throughout the year, checking in on your organization as needed and providing insights into what might be around the corner.
By developing a deep understanding of your people and processes, your assessor can also offer more relevant guidance about potential areas for improvement and what next steps might be right for your compliance program going forward.
5. Trusted Advisor
A high-quality HITRUST assessor should be more than just another service provider—they should be your trusted advisor and partner in your success.
The best cybersecurity auditing firms don’t just check boxes; they invest in understanding your organization, its mission, and its challenges. When your HITRUST assessor genuinely cares about your organization, they can offer clear, business-aware observations that go beyond compliance requirements, helping you better understand how their findings relate to your organization’s broader security posture.
Are you looking for an experienced, approachable auditor who provides meaningful insights to help you improve your organization’s security posture? Contact us today to find out how we can help.