On an r2 assessment, the decision to require a CAP for a deficiency (gap) is determined at the Control Reference level and the Requirement Statement level.
CAP decisions are made at the Control Reference level, not both Requirement Statement and Control Reference levels. Individual requirement statements roll up into a control reference, and the control reference score determines whether a CAP is required. For instance, a low-scoring requirement may be present, but if the aggregated control reference score remains above the threshold, a CAP may not be required. Conversely, if the control reference score falls below the defined threshold, then a CAP is mandatory. This approach ensures consistency by focusing on control objectives as a whole rather than single requirements. Therefore, CAP decisions are not made independently at the requirement statement level, making the statement False.
[References: HITRUST CSF Scoring Rubric – “Control Reference Scoring and CAP Triggers”; CCSFP Practitioner Guide – “CAPs at the Control Reference Level.”, , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit