The scoring model in HITRUST is hierarchical. Each Requirement Statement is scored individually across maturity levels (Policy, Procedure, Implemented, Measured, Managed). These scores roll up into Control References, which represent collections of related requirement statements. The average of Control References within a domain determines the Domain Score. Finally, domain scores are used to evaluate whether certification thresholds are met (e.g., minimum domain score of 71 for r2 certification). This hierarchical averaging ensures that deficiencies in individual requirements are reflected in higher-level scores, promoting balance across all controls within a domain.
[References: HITRUST CSF Scoring Rubric – “Score Calculation”; CCSFP Study Guide – “Roll-Up of Requirement, Control Reference, and Domain Scores.”, , ]
Submit