WOLF & CO Insights Preparing Policy & Process: The HITRUST Paper Exercise

Preparing Policy & Process: The HITRUST Paper Exercise

Written by: Julie Fougere

When offering services to a customer, organizations will often undergo an intense third-party vendor due diligence process. During this due diligence, potential customers will look to ensure your organization has the proper procedures and effective controls in place to adequately protect their confidential data and mitigate the risk of a cyber breach. Before engaging your services, many prospective customers will request that you provide HITRUST CSF certification to prove you’re properly managing sensitive information (including electronic Personal Health Information [ePHI]).

The road to obtaining HITRUST certification can be arduous, and it requires the engagement of a HITRUST Assessor Firm to conduct a thorough HITRUST audit. By achieving HITRUST certification, organizations can provide added confidence to their customers that their environment and security posture meets the most rigorous of standards.

The HITRUST CSF is specific and nuanced. It requires experience and expertise to navigate properly. It also requires a deep analysis of policies, procedures, and control implementation. When preparing for an audit, organizations tend to focus heavily on implementing each control requirement. However, it’s imperative to prioritize policies and procedures as well (they have a weighted average of 35% toward the final score of every control requirement). Overall HITRUST scores can be severely impacted without strong foundational policies and procedures.

A HITRUST audit will include a paper exercise conducted by both you and your assessor. Having the necessary resources available to prepare for a HITRUST assessment will ensure a streamlined process towards certification. We’ve outlined the requirements of HITRUST policies and procedures, the audit process surrounding the advanced paper exercise, and what you can do to prepare your policies and procedures for a successful HITRUST assessment.

What’s a HITRUST Audit Paper Exercise?

During the readiness phase of a HITRUST assessment, your assessor will perform a targeted review of your policies and procedures. This entails assessing your policies and procedures against the HITRUST scoring rubric for all in-scope controls and identifying any gaps. The process of closing the identified gaps through enhancements of internal policies and procedures rounds out the paper exercise.


Many organizations are unaware of the level of detail required by HITRUST when documenting policies. While all of the control requirements are outlined by HITRUST within the MyCSF tool, there are additional illustrative procedures for each requirement that also need to be taken into account for each policy statement. These illustrative procedures are often overlooked and can lead to lower scores than anticipated if not included.

In order to have a perfect policy scoring 100%, the following criteria should be included:

  • Formal, up-to-date documented policies or standards stated as “shall” or “will” statements exist and are readily available to employees
  • Approval of the policies by key affected parties
  • Documentation stating when the policy was approved
  • A clearly outlined information security management structure that assigns responsibilities to appropriate employees and creates the foundation necessary to reliably measure progress and compliance
  • Each policy must cover 90-100% of the HITRUST CSF requirements in each individual control

It’s imperative to note that when testing occurs for the validated assessment, existing policies must undergo an incubation period of 90 days during which they remain unchanged. Adjustments to internal controls that require updates to a policy within 90 days of the validated assessment will result in a maximum 25% score.


A well-written procedure documents how the organization will implement intended requirements set forth in the policy (factoring in the people and processes involved during implementation). Many organizations tend to struggle with the extreme levels of procedural granularity required by HITRUST, where every potential step taken toward implementing a control should be documented. In other words, if there was an employee turnover, the employee taking on new roles should be able to understand each of the steps taken toward implementing each control requirement just by reading the procedure.

In order to have perfect procedures scoring 100%, the following criteria should be included:

  • Formal, up-to-date, and approved documented procedures that remain unchanged for 90 days prior to the HITRUST validated assessment
  • Identification of individuals to be contacted for further information or guidance
  • Clarification of:
    • Where the procedure will be performed
    • How it will be performed to ensure proper implementation
    • When and at what frequency it will be performed
    • On what the procedure will be performed
    • Who’s responsible for performing the procedure
  • Each procedure must cover 90-100% of the HITRUST CSF requirements in each individual control


Strong policies and procedures are extremely important as they’re weighted for 35% of your total HITRUST control score (15% and 20%, respectively). Both are scored according to the HITRUST scoring rubric. For example, a 100% score would be granted if a policy or procedure is documented with all formal policy criteria addressed and covers 90-100% of the elements required in the control requirement.

If implementation can’t be tested (i.e. a control didn’t operate within the HITRUST testing period), it’s scored based on how well the policies and procedures score for a given control requirement. For example, if the auditor has to test a sample of incidents within a given timeframe to determine if appropriate steps were taken, but there were no incidents within the testing period, the score for implementation would only be as high as the score granted for the lowest policy or procedure for the given control requirement. The methodology behind this approach is that if the control is backed with policies and procedures that score 100%, it’s inferred that the organization would follow the proper documented procedures if an incident were to occur. On the other hand, if there are no documented procedures detailing the process for responding to an incident, it can be assumed that proper steps meeting the control requirement wouldn’t be followed if an incident occurred.


Organizations can gain a significant competitive advantage if they become HITRUST certified. This certification is crucial to assure your customers of your sound security controls. While the implementation of the controls required by HITRUST seem to be the most important piece when becoming certified—and they’re weighted at 40% of your overall score—policies and procedures must be optimized to achieve HITRUST certification.