The scoring model in HITRUST is hierarchical. EachRequirement Statementis scored individually across maturity levels (Policy, Procedure, Implemented, Measured, Managed). These scores roll up intoControl References, which represent collections of related requirement statements. The average of Control References within a domain determines theDomain Score. Finally, domain scores are used to evaluate whether certification thresholds are met (e.g., minimum domain score of 71 for r2 certification). This hierarchical averaging ensures that deficiencies in individual requirements are reflected in higher-level scores, promoting balance across all controls within a domain.
[References:HITRUST CSF Scoring Rubric – “Score Calculation”; CCSFP Study Guide – “Roll-Up of Requirement, Control Reference, and Domain Scores.”, ]
Submit