WOLF & CO Insights HITRUST CSF: Scanning & Scoping

HITRUST CSF: Scanning & Scoping

Organizations are constantly navigating a dynamic cybersecurity environment to secure and protect their systems. Recognizing the need for enhanced guidance surrounding the implementation of an effective cybersecurity program, the HITRUST CSF was created to help strengthen controls, improve preparation, and increase resiliency in the event of a cyber breach.

Clients will often conduct intense vendor due diligence prior to engaging the services of an organization. This due diligence is performed to ensure that your organization’s controls will protect confidential data and mitigate the risk of breaches. Meeting the requirements of HITRUST CSF and obtaining HITRUST certification will assure your clients that you maintain the confidentiality and integrity of their data.

The HITRUST certification process is comprehensive and nuanced, involving the efforts of both the organization and a qualified HITRUST Assessor firm. Beginning with an in-depth scoping process, the stages of a HITRUST audit can be complicated—and much of the responsibility falls on the organization. We’ve detailed what scoping is during the HITRUST auditing process, the criteria for a good scope, and how to conduct an effective scope.

What is Scoping?

Scoping is performed by the organization and their assessing firm prior to the HITRUST Readiness Assessment. During scoping, the organization and the firm will analyze the factors of the business to determine which HITRUST requirements must be evaluated and met in order to receive HITRUST certification. The process sets the precedent for the entire HITRUST assessment, pinpointing how many control requirements the organization must meet to become HITRUST certified.

This scoping process allows the organization and the assessing firm to understand:

  • The size of the organization
  • The amount of data in the organization’s systems
  • The number of systems they have in their network
  • The applications or systems to be assessed for HITRUST certification
  • What systems and vendors are connected and how they’re connected
  • What the data is touching
  • How the organization and clients are accessing or providing data

The results of the scope build the HITRUST assessment.

What Does an Effective Scope Look Like?

Organizations should ensure their scope is accurate, segmented, and consolidated. Your in-scope environment should be self-contained and highly segmented, meaning you want to scope out as much as possible. Keeping systems that store, process, or transmit data siloed with limited access will decrease the amount of systems that will have to meet HITRUST requirements, and reduce the size of the HITRUST assessment overall.

How to Build a Strong Scope

Use a HITRUST Certified Data Center

There are different ways to host data. Organizations can pay a third-party service provider to host data on the cloud, or they can store the data within their own networks. If your organization is using a cloud service provider (CSP), choose one that has a HITRUST certification to allow inheritance of controls for which they’re fully or partially responsible (i.e. physical security controls). If you choose to store your data on a cloud provider that’s already HITRUST certified, the certification for those controls will be inheritable by your company during your HITRUST assessment.

If you don’t use a HITRUST certified CSP, there’s additional oversight that needs to be performed, including a right to audit clause that must be included in any arrangements. This adds an additional layer of complexity and cost to your HITRUST certification process, as you’ll be required to obtain a right to audit clause to get controls information directly from the vendor instead of inheriting the HITRUST certification. What could’ve been an easy process during your HITRUST assessment now turns into an extended period of time requesting information, reviewing files, and searching for evidence of sound processes.

Reduce Corporate Network Scope

Use bastion hosts and jump servers to complete your network segmentation. Hosting data in a cloud data center takes the controls out of your internal data center or corporate network, therefore reducing the amount of controls and systems in your scope. This reduces the footprint, so instead of having hundreds of controls applying to everything on your network, they only apply to what’s required for the in-scope application. By having a smaller environment in scope, you have less controls that must meet HITRUST standards and less systems on which to apply all controls. This ultimately makes obtaining HITRUST certification easier.


Scoping is a crucial step in the HITRUST certification process, as it establishes the framework on which the entire assessment will be based. Performing an effective scope will streamline your HITRUST assessment and contribute to a successful certification.