For an r2 assessment, to obtain a Validated Report with Certification, each domain must score at least a 71 or higher.
Correct Answer: A
HITRUST requires that each of the19 domainsachieve a minimum score of71for an organization to qualify for r2 certification. This threshold ensures that entities maintain a consistent level of maturity across all control areas, rather than excelling in some while neglecting others. The 71 threshold is calculated from the weighted average of requirement statements within a domain, factoring in Policy, Procedure, and Implementation maturity scores (with Measured and Managed as applicable). If any domain falls below 71, the assessment may still produce a validated report, but it will not result in certification. This strict requirement highlights HITRUST's emphasis onbalanced coverageacross all areas of security and privacy. References:HITRUST CSF Scoring Rubric - "Certification Thresholds"; CCSFP Practitioner Guide - "Minimum Domain Score Requirements."
Question 7
The concept of HITRUST CSF risk levels was adapted from what security standard?
Correct Answer: D
HITRUST CSF'srisk-based levelswere adapted fromNIST SP 800-53, which organizes controls into baseline categories based on impact levels:low, moderate, and high. Similarly, HITRUST assigns requirement statements across multiple implementation levels (Level 1, Level 2, and Level 3) depending on organizational, technical, and regulatory risk factors. This approach ensures scalability, so smaller organizations or lower-risk environments face fewer requirements, while larger, high-risk entities face more. HITRUST harmonized this concept with mappings to other frameworks (ISO, HIPAA, PCI-DSS), but the structure of escalating control rigor by risk exposure is directly derived from NIST's model. This alignment reinforces HITRUST's credibility as a risk-based framework consistent with widely accepted standards. References:HITRUST CSF Methodology - "Risk-Based Tailoring"; CCSFP Study Guide - "Alignment with NIST SP 800-53."
Question 8
It is possible to test only privacy-related requirements to obtain a HITRUST privacy certification.
Correct Answer: B
HITRUST does not issue certifications limited solely toprivacy-related requirements. While privacy is a critical part of the CSF-reflected in domains such asData Protection & Privacy-HITRUST certifications require coverage ofall 19 domains. This is because security and privacy are interdependent: without robust security, privacy cannot be protected. An entity may emphasize privacy controls during scoping and reporting, but certification itself is always tied to a full CSF assessment. Privacy-related frameworks, such as GDPR or HIPAA Privacy Rule, can be added as regulatory factors, which introduce additional privacy- focused requirements. However, the output will still be a standard HITRUST validated report or certification covering the entire environment, not a "privacy-only certification." References:HITRUST Assurance Program - "Scope of Certification"; CCSFP Study Guide - "Privacy Within HITRUST CSF Assessments."
Question 9
What is the minimum number of items to sample from a population for a daily control?
Correct Answer: B
HITRUST defines sample sizes for manual controls based on theirfrequency of operation. Fordaily controls , such as system log reviews or daily backup checks, the required sample size is25 items. This sample size is designed to provide sufficient evidence that the control is consistently applied over time while remaining manageable for assessors. For weekly controls, the sample size is smaller (5), and for monthly or quarterly controls, it is smaller still (2 or 1). The 25-item rule ensures daily processes are tested across a meaningful timeframe (roughly a month of working days) to validate reliability. This standardized approach ensures comparability across assessments and prevents under-testing. References:HITRUST Scoring Rubric - "Sample Sizes by Frequency"; CCSFP Study Guide - "Daily Control Testing Requirements."
Question 10
Who defines the scope of an assessment?
Correct Answer: A
The responsibility for defining the scope of an assessment lies withclient management. The organization undergoing the assessment must identify which systems, applications, facilities, and business units are in scope. This decision is based on business objectives, regulatory requirements, contractual obligations, and the sensitivity of data being processed. External Assessors play a supporting role by reviewing scope decisions and ensuring they are reasonable and sufficient to meet assurance objectives. HITRUST does not define scope directly but requires that scope decisions be documented and defensible. An accurately defined scope ensures that the assessment reflects the organization's risk exposure without omitting critical components. Mis- scoping can either undermine assurance or create unnecessary testing burden. References:HITRUST CSF Assurance Program - "Scoping Responsibility"; CCSFP Practitioner Guide - "Roles in Defining Assessment Scope."
