In an i1 assessment a Control Reference score of 62 would yield which result?
Correct Answer: B
In an i1 assessment, scoring follows a pass/fail logic tied to CAP requirements. If a Control Reference scores below the defined threshold (typically 83 for i1 assessments), any gaps within its requirement statements must be addressed with a required Corrective Action Plan (CAP). A score of 62 is below the threshold, meaning it cannot be accepted without remediation. This ensures organizations remediate key cybersecurity hygiene gaps, even in a moderate assurance assessment. Optional CAPs are not used in i1 assessments, as the assurance program emphasizes mandatory remediation for below-threshold controls. Certification cannot be granted with unresolved required CAPs. Therefore, the correct outcome for a score of 62 in an i1 Control Reference is a required CAP. HITRUST CSF Assurance Program - "i1 Assessment Scoring Rules"; CCSFP Practitioner Guide - "CAP Requirements in i1 Assessments."
Question 22
A validated assessment is only available to organizations after performing a readiness assessment. [0020]
Correct Answer: B
A validated assessment does not require a readiness assessment as a prerequisite. A Readiness Assessment is optional and intended to help organizations self-identify gaps before a validated assessment. A Validated Assessment involves an independent HITRUST Authorized External Assessor validating evidence and submitting results to HITRUST for quality assurance and potential certification. Many organizations choose to do a readiness assessment first, but it is not mandatory. Extract Reference (CCSFP Study Guide & HITRUST CSF Assurance Program [0020]): Organizations may perform a readiness assessment prior to a validated assessment to identify gaps, but it is not required; validated assessments can be performed independently.
Question 23
What information is required to complete the documentation of a Corrective Action Plan (CAP)? (Select all that apply) [0064]
Correct Answer: A,B,D,E
A Corrective Action Plan (CAP) is used when a requirement statement is not fully satisfied. HITRUST requires specific information to ensure the CAP is actionable and trackable: Responsible party # assigns accountability. Status # indicates if the CAP is open, in progress, or closed. Steps for remediation # outlines actions that will be taken. Estimated completion date # provides a timeline for closure. The amount of capital/expense is not a required element in HITRUST documentation, as CAPs focus on remediation planning and accountability, not budgeting. Extract Reference (HITRUST CSF Assurance Program, CCSFP Guide, CAP Documentation [0064]): Each CAP must include responsible individual(s), remediation steps, current status, and estimated completion date to be valid in MyCSF.
Question 24
If most of the evaluative elements associated with a requirement statement do not apply to an assessed entity's control environment, the requirement statement can be marked "N/A".
Correct Answer: B
HITRUST does not permit marking a requirement statement "Not Applicable" simply because most of the evaluative elements don't apply. Requirement statements are mandatory unless a legitimate scoping or regulatory justification supports exclusion. For example, a control related to cardholder data could be marked N/A only if the organization does not process credit cards. However, if even one evaluative element applies, the requirement must be scored, and the non-applicable elements may be documented as part of evidence. HITRUST QA reviews all N/A designations, requiring organizations to justify exclusions in the Subscriber Comments field. Improperly marking requirements as N/A may result in assessment rejection or mandatory CAPs. References: HITRUST Assurance Program - "Rules for N/A Designations"; CCSFP Practitioner Guide - "Proper Use of N/A in Assessments."
Question 25
How many domains are there in an assessment?
Correct Answer:
19 Explanation: The HITRUST CSF is structured into 19 domains that provide comprehensive coverage of information security and privacy practices. These domains represent major categories of controls such as Information Security Management, Endpoint Protection, Network Security, Access Control, Configuration Management, Incident Management, and Data Protection. Each domain contains multiple control references mapped to requirement statements, which are tailored to organizational and regulatory factors. This domain structure ensures that assessments address administrative, technical, and organizational safeguards consistently across industries. All assessment types-whether e1, i1, or r2-utilize these 19 domains, although the number of requirement statements varies depending on the scope. The domain-based structure also supports HITRUST's mapping to authoritative sources like NIST, HIPAA, and ISO, ensuring consistency across compliance obligations. References: HITRUST CSF Framework Overview - "Domain Structure"; CCSFP Study Guide - "The 19 Domains of the HITRUST CSF."
