Skip to content

Insights

HITRUST Scoping: Scope for Success

Key Takeaways

  • Define Purpose Before Scoping: Clearly identify why certification is needed (customer requirement, regulatory compliance, data protection) to determine the appropriate business units, systems, and locations to include.
  • Focus on In-Scope Systems Only: HITRUST certifies implemented systems that have been under the organization’s control and operating for at least 90 days.
  • Understand What Can (and Cannot) Be Certified: Only systems and applications under the assessed entity’s control are certifiable – not facilities, people, products, services, or unmanaged public applications.
  • Apply HITRUST’s System Definition and Criteria: Properly define system boundaries (including hardware, software, data, and personnel) and ensure third-party infrastructure responsibilities are clearly understood.

For an organization undergoing HITRUST Certification, assessment scoping is a critical process that can create an efficient and successful journey, if done correctly. The alternative, if done incorrectly, can lead to an arduous journey of complexity and unnecessary additional requirements.

Scoping is the responsibility of the organization seeking HITRUST certification; it is to the organization’s benefit to clarify the reasons for seeking certification to ensure that the appropriate scope is identified. The key to selecting the appropriate scope lays in answering a few key questions.

What Does the Organization Want/Need to Be Certified?

Knowing what an organization wants to be certified can help identify the business units, systems, physical locations, and components that would be subject to the HITRUST assessment. Then further refining the question to what the organization needs to be certified can help narrow the scope to what is needed for the purpose of certification.

Some questions organizations seeking certification can ask include:

  • Is the certification requested by a current or prospective customer? What specific services or systems is that customer expecting to be certified?
  • Is the certification required by a regulation, such as HIPAA? Does the regulation require a specific system at the organization to be certified?
  • What critical data is being protected? What business units, locations, systems, and components may access, process, and store critical data?

The HITRUST Assessment Scoping Criteria

After an organization has identified what needs to be certified, it must understand the criteria HITRUST utilizes for assessment of scoping. The following requirements are extremely important to appropriately define an assessment scope. These requirements ensure that an organization appropriately selects a scope for their assessment that will allow for certification.

Implemented Systems Under Control

HITRUST only certifies implemented systems that have been installed and configured for at least 90 days within the assessed control environment. Primary scope components are also required to be operated for 90 days. HITRUST cannot certify application(s) where the application instance is not under an organization’s control, such as a mobile application or applications that are applied to a public environment that the organization does not have security control over. However, the back-end infrastructure such as a database that is under an organization’s control in the aforementioned mobile application example can be certified by HITRUST.

Definition of a “System”

HITRUST aligns with NIST’s description of a system as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” This definition is fundamental for establishing security boundaries and controls for managing the lifecycle of collecting, process, and using information. It also applies to the business’ hardware, software, data, and people.

Control Over Applications

HITRUST certifies only systems and applications that are under the Assessed Entity’s control as mentioned above. However, HITRUST does provide examples of when the Assessed Entity can be responsible for certifying applications that rely on third-party infrastructure. An example provided outlines when an Assessed Entity is responsible for certifying the platforms they customize and operate using a Cloud Service Provider’s infrastructure. The Cloud Service Provider, in this example, is considered an extension of the Assessed Entity and can also certify its own systems since it has oversight and security over its controls.

Inclusion of Facilities

Facilities, in relation to in-scope platforms, are included in the scope of the assessment. For example, facilities are considered as in-scope facilities for physical security and/or environmental requirements. Facilities will be tested but not certified. Facilities themselves are not certifiable because HITRUST does not certify facilities, people, services, or products.

This is a basic overview of the HITRUST assessment scoping criteria that HITRUST provides to help organizations determine the scope of their assessment. For more information, be sure to visit our HITRUST service page and SOC & Cybersecurity industry page. McKonly & Asbury’s SOC and HITRUST teams are available to assist your organization in evaluating what assessment report best fits your needs; don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding HITRUST, SOC reports, and our other services.

This article was written by SOC Staff Alexis Hershberger under supervision of Director Josh Bantz.

About the Author

Josh Bantz

Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more

Related Services

SOC & Technology Consulting

Subscribe to Our Newsletter

Related Insights

View All Insights
  Contact Us