CSF Practitioner CCSFP Release Date

HITRUST uses a scoring scale from 0 to 100, with categories for Fully Compliant, Mostly Compliant, Partially Compliant, Somewhat Compliant, and Non-Compliant. A score of37falls into the “Somewhat Compliant” category. This reflects significant weaknesses in Policy, Procedure, or Implementation maturity levels. Such a low score indicates agapthat must be addressed. Depending on whether the control is required for certification, HITRUST may require aCorrective Action Plan (CAP). CAPs are required when certification-critical controls score below thresholds (e.g., Implementation not at 100% where required). Therefore, a Requirement Statement score of 37 would be treated as agap with a possible required CAP, depending on its criticality within the certification process.

When performing scoping for an r2 assessment, HITRUST requires consideration ofrisk factorsthat tailor requirement statements. Four categories are applied:Technical, Organizational, Compliance, and Operational.

Technical Risk Factorsconsider measurable characteristics such as number of users, systems, or transactions, which directly influence the size and complexity of the control environment.

Organizational Risk Factorsaddress the type of business, industry sector, and whether the entity is a covered entity or business associate.

Compliance Risk Factorsincorporate regulatory drivers (e.g., HIPAA, PCI DSS, state laws) that generate additional requirement statements.

Operational Risk Factorsconsider how data is used, stored, and transmitted, including exposure points like internet-facing systems.

“General” and “Privacy” are not categories formally recognized in the HITRUST methodology. Privacy obligations are accounted for under compliance drivers such as HIPAA, GDPR, or state laws. These categories ensure that control requirements are right-sized to the entity’s unique environment, reducing both over-scoping and under-scoping.