How to Score HITRUST CSF Controls?

How to score HITRUST CSF controls

In order to perform a HITRUST assessment, you must be able to score your organization’s control environment compliance with the HITRUST CSF Maturity Model. The maturity model is used for scoring both Self-Assessments and Validated Assessments (more info). Understanding how to use the HITRUST Maturity Model to accurately rate your controls’ compliance is critical as HITRUST and your authorized CSF assessor, in the case of a Validated Assessment, will be using it to corroborate and certify your assessment or scoring. This article will help you understand how controls are scored in HITRUST assessments and how those scores ultimately drive the HITRUST rating that is the basis for determining whether or not an organization is certified.

What is The HITRUST CSF Maturity Model?

The HITRUST Maturity Model requires that each control be assessed in five different areas: Policies, Process/Procedures, Implemented, Measured, and Managed. The following is how HITRUST briefly summarizes the five areas and the generic criteria that can be used to evaluate compliance with that level:

Level (weight) Evaluation Criteria


  • Do formal, up-to-date policies or standards exist that contain “shall” or “will” statements for each element of the requirement statement?
  • Do the policies and standards that exist for each element of the requirement statement cover all major facilities and operations for the organizations and/or systems/assets in scope for the assessment?
  • Are the policies and standards that exist for each element of the requirement statement approved by management and communicated to the workforce?


  • Do formal, up-to-date, documented procedures exist for the implementation of each element of the requirement statement?
  • Do the procedures clarify where the procedure is to be performed, how the procedure is to be performed, when the procedure is to be performed, who is to perform the procedure, and on what the procedure is to be performed?
  • Do the procedures address each element of the requirement statement across all applicable facilities, operations, and/or systems/assets in scope?
  • Are procedures for the implementation of each element of the requirements statement communicated to the individuals who are required to follow them?


  • Is each element of the requirements statement implemented in a consistent manner everywhere that the policy and procedure applies?
  • Are ad hoc approaches that tend to be applied on an individual or on a case-by-case basis discouraged?


  • Are self-assessments, audits, and/or tests routinely performed and/or metrics collected to evaluate the adequacy and effectiveness of the implementation of each element of the requirements statement?
  • Are evaluation requirements, including requirements regarding the type and frequency of self-assessments, audits, tests, and/or metrics collection documented, approved, and effectively implemented?
  • Does the frequency and rigor with which each element of the requirements statement is evaluated depend on the risks that will be posed if the implementation is not operating effectively?


  • Are effective corrective actions taken to address identified weaknesses in the elements of the requirements statement, including those identified as a result of potential or actual information security incidents or through information security alerts?
  • Do decisions around corrective actions consider cost, risk, and mission impact?
  • Are threats impacting the requirements periodically re-evaluated and the requirements adapted as needed?

As you review the HITRUST CSF Maturity Model, you will note that each level builds on the previous in a cycle of continuous improvement. This cyclical process is the core functionality of a successful information security management system.

What are the possible scores for controls?

What are The Possible Scores for Controls?

The following table briefly describes the different maturity levels that you can rate a control on each level of the maturity model.

Maturity Level Description Score
Non-Compliant Very few, if any, elements exist for the level being evaluated. 0%
Somewhat Compliant Less than half of the elements exist for the level being evaluated. 25%
Partially Compliant Approximately half of the elements exist for the level being evaluated. 50%
Mostly Compliant Many of the elements exist for the level being evaluated. 75%
Fully Compliant Most, if not all, of the elements exist for the level being evaluated. 100%

Whether performing a Self-Assessment or Validated Assessment, you will be required to assign a maturity level in the MyCSF tool for each control and its compliance with each of the five levels of the HITRUST CSF Maturity Model (e.g., Policy, Procedure, Implemented, Measured, and Managed).

How are HITRUST Control Scores Calculated?

Now that you know maturity level scores that can be given to each of the maturity levels for each control, you are probably wondering how the control scores are calculated. While the MyCSF tool generates the scores for you, it is important to understand how the calculation works. Quite simply, the score for each control is the sum of the products of the weight maturity model level multiplied by the maturity level rating for all the maturity model levels.

Let’s use the following scenario as an example to walk through the calculation process. Assume that an organization had documented policies and procedures related to a control (or the set of controls within a domain) and that the controls were mostly implemented during the period of the assessment. Additionally, assume that none of the controls were considered managed; however, the organization measured some (less than half) of the control(s).

Level Weight Maturity Level Score Product
Policy 25% Fully Compliant 100% 25 x 1.0 = 25
Procedures 25% Fully Compliant 100% 25 x 1.0 = 25
Implemented 25% Mostly Compliant 75% 25 x 0.75 = 18.75
Measured 15% Somewhat Compliant 25% 15 x 0.25 = 3.75
Managed 10% Non-Compliant 0% 10 x 0.0 = 0
Total 72.5

As shown in the preceding table, by summing the product of the weight and score for each level, the scenario would result in a score of 72.5.

It is important to understand that 75 percent of your overall score comes from the Policy, Procedure, and Implemented levels. The scoring is structured this way because the most important thing is that controls have been documented in a policy and procedure so people know how to do it and that they are fully implemented (meaning it can be tested to prove effectiveness). Measured and Managed levels are more for those mature organizations that have systems in place to measure the performance of a control.

The point of emphasis here is that the focus needs to be placed on the Policy, Procedure, and Implementation areas. If you can show that your policies and procedures are documented and the controls implemented in such a way as to meet the requirements, those controls will be compliant. There may be a need for a certain percentage of controls to have Measured and Managed activities that should be in place in order to achieve certification, but it’s important ensure that the Policy, Procedure, and Implementation levels are addressed to help you achieve certification.

HITRUST certification requirements

What are The HITRUST Certification Requirements?

Now that we know how to calculate a score, what does a 72.5 really mean as far as obtaining a HITRUST certified report? The average total score of controls within each domain is compared to HITRUST’s final scoring ranges to get a maturity level rating. Maturity level ratings range from 1- to 5+. Each domain must receive at least a rating of 3, or a score greater than 62, in order to obtain a certified HITRUST report. If one or more domains receive a rating lower than 3, HITRUST will only issue a validated report.

Any controls that do not receive a rating of 3+ (>71) or higher are required to prepare a Corrective Action Plan (CAP). An organization may have domains with controls requiring CAPs and still receive a HITRUST certification as long as each domain received a rating 3 or higher.

If you would like to learn more about the HITRUST assessment processes, please refer to one of our earlier blogs that walks you through the basics of HITRUST compliance or the HITRUST certification process.


Hopefully this has helped you better understand how to accurately assess and score your controls for HITRUST assessments (for both Validated and Self-Assessments). As a Certified CSF Assessor firm, we would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions that you may have.

Leave a Reply

Your email address will not be published. Required fields are marked *