Skip to content

Insights

HITRUST Scoping: Scope for Success – Part 2

Key Takeaways

  • Scoping Defines Success: Effective HITRUST scoping starts with clearly identifying what systems, data, and processes need certification, then aligning boundaries with how information flows and is controlled across the environment.
  • Flexible but Structured: HITRUST allows organizations to tailor scope based on their unique environments, but the resulting scope drives strict, predefined assessment requirements – making careful validation essential.
  • Multiple Scoping Approaches: Organizations can choose from several methods – IT service/platform-focused, enclave-focused, follow-the-data, shared services, or enterprise-level – depending on their structure and certification goals.
  • Strategic Approach Selection Matters: Each scoping method serves a different purpose, so selecting the right approach can improve efficiency and reduce unnecessary complexity.

In the previous article, “HITRUST Scoping: Scope for Success,” basic scoping criteria, along with questions about what an organization would want and would need to have certified, was discussed. This article will cover the additional scoping approaches provided by HITRUST that can be utilized by organizations seeking certification.

How to Approach the Assessment Scoping

Based on what was identified that an organization wants and needs to have certified and the understanding of HITRUST’s criteria, an organization can set the boundary for the scope assessment according to its implementation of how information is accessed, controlled, and flows through networks and security domains.

HITRUST allows flexibility and adaptiveness in the assessment scoping as a way of recognizing that businesses have unique environments. Organizations can scope their assessment as they like; however, the outcome of the scoping are prescriptive requirements that HITRUST uses in its assessment procedures. To loosely borrow a carpenter’s mantra: Verify scope three times and assess once.

Types of Scoping Approaches

HITRUST’s Assessment Handbook provides the following approaches as further guidance.

IT Service or Platform-Focused

The IT Service or Platform-focused is an option for scoping that has one or more specific IT systems/platforms and supporting services. This approach is good for narrowing down the specific IT systems or IT platforms that need certification to meet regulatory compliance or contract commitments.

Enclave-Focused

The Enclave-focused approach is an option for scoping relevant IT platforms and supporting infrastructure used by one or more business units, network segments, or hosted environments. This approach may be useful when there is a specific restricted system that needs HITRUST certification. For that specific system, the platforms and networks should be the focus of the certification along with restrictions on that enclave that is in-scope.

Follow-the-Data

The Follow-the-data approach scopes the assessment based on the flow of data through the organization’s environment, platform, and supporting infrastructure. All the platform(s) and supporting infrastructure that sensitive data flows through are considered in-scope for the assessment.

Shared IT Services

The Shared IT Services approach scopes the assessment based on common control processes that an organization shares between its multiple HITRUST assessments. The benefit is that common control processes are assessed under one assessment and inherited later in the other assessments.

Enterprise-Level

The Enterprise-level approach is beneficial for organizations where the ENTIRE ORGANIZATION has adopted the HITRUST CSF Framework. This involves assessing the entire organization’s applications, networks, IT platforms, and supporting infrastructure.

This is a basic overview of the HITRUST assessment scoping approaches that HITRUST provides to help organizations determine the scope of their assessment. For more information, be sure to visit our HITRUST service page and System and Organization Controls (SOC) service page; don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding HITRUST, SOC reports, and our other services.

This article was written by SOC Staff Alexis Hershberger under supervision of Director Josh Bantz.

About the Author

Josh Bantz

Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more

Related Services

SOC & Technology Consulting

Subscribe to Our Newsletter

Related Insights

View All Insights
  Contact Us