[Zikiya Chabwera, Associate Consultant, Attest Services at BARR Advisory:]
When it comes to HITRUST, a readiness assessment is more than just a checklist. It’s a crucial opportunity to uncover gaps, align your documentation with your actual security practices, and ultimately, mature your program in a way that sets you up for long-term success, not just certification. At BARR, we support organizations of all sizes through the HITRUST certification process, from startups using the foundational e1 assessment to complex enterprises pursuing the more rigorous r2 certification.
Regardless of which level you’re aiming for, your HITRUST journey usually starts with a readiness assessment. This is where we evaluate your controls against HITRUST CSF requirements and build a gap report showing what’s in place, what’s missing, and what needs attention before moving forward with the formal certification.
One of the most important pieces of this process is evaluating the difference between what’s written and what’s really happening. A policy might say the organization encrypts data at rest, but there’s no mention of how, when, or who ensures that happens in practice.
In many cases, the procedure is missing entirely or is outdated and no longer reflects what’s actually implemented.
Another issue is policies sometimes use vague language like, “employees are expected to…” instead of more formal directives, like, “employees must…” That wording can be the difference between a compliant and a non-compliant policy. In some cases, procedures like reviewing access are carried out manually by admins, but there’s no documentation to show who is responsible, how often it happens, or how it is tracked.
Even if the action is taking place, the lack of documentation can still make it non-compliant.
Another issue is some policies simply copy and paste the control language without using directive terms like “shall” or “must.” This makes it more of a guideline than a formal policy, which is definitely not acceptable for HITRUST compliance. Additionally, there are times when procedures are represented by a single screenshot or a one-line note without enough explanation.
This fails to show how the control is actually implemented or connected to the policy.
It’s also common to see a policy and procedure that doesn’t align. For example, the policy might describe one method of enforcement while the procedure shows something completely different. This inconsistency creates confusion and delays. Another issue that we see is when organizations may say a process is automated or handled by a third party, but they don’t provide documentation showing how they oversee or validate that process.
It’s not enough to say something is happening. It has to actually be documented and supported with evidence.
In conclusion, this is why we don’t stop at reviewing documents. We dig into how those documents are actually put into practice.
A full HITRUST readiness assessment typically includes three main parts. First, your team completes the HITRUST questionnaire. This allows you to self-identify where controls are implemented, where they’re not, and where you think a control may not apply. Second, your auditors review those responses in detail. If a control is marked as implemented, we verify it through testing based on HITRUST’s illustrative procedures. If it’s not implemented, we can help guide you through remediation. Third, you’ll receive a detailed workbook from us that outlines every control gap, complete with remediation recommendations and clear action steps.
So this is where our consulting team comes in. We don’t just hand over a list and walk away. We work side by side with you to address the gaps. Our team helps prioritize what to fix first and offers practical, scalable solutions tailored to your needs, whether that’s vulnerability management, endpoint protection, business continuity planning, or third-party risk management.
One thing that makes BARR unique is that we’re structured to support you through the entire HITRUST journey, while maintaining clear separation of duties. Our consulting team helps you fix the issues; our attest services team performs the readiness and certification assessments. This structure ensures independence, integrity, and consistency without the need to bring in multiple firms. And because it’s all happening under one roof, you benefit from streamlined onboarding, faster execution, and a consistent standard of quality from start to finish.
A HITRUST readiness assessment isn’t just helpful, it’s essential. It ensures you’re actually ready before the audit begins. It helps you showcase your strengths and address your weaknesses. It builds organizational confidence and it minimizes the risk of running into surprise control gaps later in the process.
In short, it sets you up to succeed, not just in achieving HITRUST certification, but in building a security program that’s truly resilient. Contact us here at BARR Advisory to learn more or schedule a free consultation.