In order to perform a HITRUST assessment, you must be able to score your organization’s control environment compliance with the HITRUST CSF Maturity Model. The maturity model is used for scoring both Self-Assessments and Validated Assessments (more info). Understanding how to use the HITRUST Maturity Model to accurately rate your controls’ compliance is critical as HITRUST and your authorized CSF assessor, in the case of a Validated Assessment, will be using it to corroborate and certify your assessment or scoring. This article will help you understand how controls are scored in HITRUST assessments and how those scores ultimately drive the HITRUST rating that is the basis for determining whether or not an organization is certified.
What is The HITRUST CSF Maturity Model?
The HITRUST Maturity Model requires that each control be assessed in five different areas: Policies, Process/Procedures, Implemented, Measured, and Managed. The following is how HITRUST briefly summarizes the five areas and the generic criteria that can be used to evaluate compliance with that level:
|Level (weight)||Evaluation Criteria|
As you review the HITRUST CSF Maturity Model, you will note that each level builds on the previous in a cycle of continuous improvement. This cyclical process is the core functionality of a successful information security management system.
What are The Possible Scores for Controls?
The following table briefly describes the different maturity levels that you can rate a control on each level of the maturity model.
|Non-Compliant||Very few, if any, elements exist for the level being evaluated.||0%|
|Somewhat Compliant||Less than half of the elements exist for the level being evaluated.||25%|
|Partially Compliant||Approximately half of the elements exist for the level being evaluated.||50%|
|Mostly Compliant||Many of the elements exist for the level being evaluated.||75%|
|Fully Compliant||Most, if not all, of the elements exist for the level being evaluated.||100%|
Whether performing a Self-Assessment or Validated Assessment, you will be required to assign a maturity level in the MyCSF tool for each control and its compliance with each of the five levels of the HITRUST CSF Maturity Model (e.g., Policy, Procedure, Implemented, Measured, and Managed).
How are HITRUST Control Scores Calculated?
Now that you know maturity level scores that can be given to each of the maturity levels for each control, you are probably wondering how the control scores are calculated. While the MyCSF tool generates the scores for you, it is important to understand how the calculation works. Quite simply, the score for each control is the sum of the products of the weight maturity model level multiplied by the maturity level rating for all the maturity model levels.
Let’s use the following scenario as an example to walk through the calculation process. Assume that an organization had documented policies and procedures related to a control (or the set of controls within a domain) and that the controls were mostly implemented during the period of the assessment. Additionally, assume that none of the controls were considered managed; however, the organization measured some (less than half) of the control(s).
|Policy||25%||Fully Compliant||100%||25 x 1.0 = 25|
|Procedures||25%||Fully Compliant||100%||25 x 1.0 = 25|
|Implemented||25%||Mostly Compliant||75%||25 x 0.75 = 18.75|
|Measured||15%||Somewhat Compliant||25%||15 x 0.25 = 3.75|
|Managed||10%||Non-Compliant||0%||10 x 0.0 = 0|
As shown in the preceding table, by summing the product of the weight and score for each level, the scenario would result in a score of 72.5.
It is important to understand that 75 percent of your overall score comes from the Policy, Procedure, and Implemented levels. The scoring is structured this way because the most important thing is that controls have been documented in a policy and procedure so people know how to do it and that they are fully implemented (meaning it can be tested to prove effectiveness). Measured and Managed levels are more for those mature organizations that have systems in place to measure the performance of a control.
The point of emphasis here is that the focus needs to be placed on the Policy, Procedure, and Implementation areas. If you can show that your policies and procedures are documented and the controls implemented in such a way as to meet the requirements, those controls will be compliant. There may be a need for a certain percentage of controls to have Measured and Managed activities that should be in place in order to achieve certification, but it’s important ensure that the Policy, Procedure, and Implementation levels are addressed to help you achieve certification.
What are The HITRUST Certification Requirements?
Now that we know how to calculate a score, what does a 72.5 really mean as far as obtaining a HITRUST certified report? The average total score of controls within each domain is compared to HITRUST’s final scoring ranges to get a maturity level rating. Maturity level ratings range from 1- to 5+. Each domain must receive at least a rating of 3, or a score greater than 62, in order to obtain a certified HITRUST report. If one or more domains receive a rating lower than 3, HITRUST will only issue a validated report.
Any controls that do not receive a rating of 3+ (>71) or higher are required to prepare a Corrective Action Plan (CAP). An organization may have domains with controls requiring CAPs and still receive a HITRUST certification as long as each domain received a rating 3 or higher.
If you would like to learn more about the HITRUST assessment processes, please refer to one of our earlier blogs that walks you through the basics of HITRUST compliance or the HITRUST certification process.
Hopefully this has helped you better understand how to accurately assess and score your controls for HITRUST assessments (for both Validated and Self-Assessments). As a Certified CSF Assessor firm, we would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions that you may have.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.