CSF Practitioner CCSFP Release Date

HITRUST defines sample sizes for manual controls based on the frequency of operation. For controls that operate weekly, the required sample size is 5 items. This ensures that the assessor can evaluate consistency over multiple weeks without excessive burden. For example, if access logs are reviewed weekly, five weeks of logs must be tested. A higher frequency (e.g., daily controls) requires larger samples, such as 25. Conversely, less frequent controls (e.g., monthly or quarterly) may only require 2 or 1 sample. The structured sampling methodology provides consistency across assessments, ensures sufficient evidence for scoring, and prevents under-testing of critical controls.

HITRUST does not determine scope in disputes between clients and assessors.

The organization (subscriber) ultimately owns responsibility for defining and attesting to the assessment scope.

The External Assessor is responsible for verifying that the defined scope is reasonable, complete, and appropriate.

HITRUST only reviews submitted assessments for quality assurance but does not directly arbitrate scope disagreements.

Extract Reference (HITRUST CSF Assurance Program, CCSFP Guidance [0027]):

Subscribers determine scope; External Assessors validate scope appropriateness. HITRUST does not dictate or resolve scope disputes.

HITRUST defines sample sizes for manual controls based on their frequency of operation. For daily controls, such as system log reviews or daily backup checks, the required sample size is 25 items. This sample size is designed to provide sufficient evidence that the control is consistently applied over time while remaining manageable for assessors. For weekly controls, the sample size is smaller (5), and for monthly or quarterly controls, it is smaller still (2 or 1). The 25-item rule ensures daily processes are tested across a meaningful timeframe (roughly a month of working days) to validate reliability. This standardized approach ensures comparability across assessments and prevents under-testing.

In an i1 assessment, scoring below threshold levels (generally 83 for certification-critical controls) results in a required Corrective Action Plan (CAP). A score of 37 falls into the “Somewhat Compliant” category and indicates major deficiencies. Because i1 assessments emphasize cybersecurity hygiene, HITRUST does not allow “risk acceptance” at such low scores. Instead, CAPs are required to ensure remediation is planned and tracked. This approach guarantees that organizations address weaknesses that could leave them vulnerable to common threats. Unlike r2 assessments, where some flexibility exists based on risk tailoring, i1 is structured to enforce mandatory remediation for below-threshold results. Therefore, a Control Reference score of 37 in i1 unequivocally requires a CAP.