The HITRUST Alliance has helped streamline cybersecurity and compliance for companies across all industries since it was founded in 2007. It offers businesses the CSF—a unified regulatory framework that combines controls from various others into a single simplified system.
The HITRUST levels gauge a company’s security maturity across all the controls it implements.
An In-Depth Look at the Five HITRUST Maturity Levels
HITRUST maturity levels are one critical component of the overall HITRUST Approach. When companies assess their compliance, the levels offer insights into overall cybersecurity maturity.
Per HITRUST’s guide to evaluating control maturity, there are five total maturity levels:
- Level 1: Policy
- Level 2: Procedure
- Level 3: Implemented
- Level 4: Measured
- Level 5: Managed
Depending on the kind of HITRUST assessment you engage in, however, some or all maturity levels may not be assessed. For example, HITRUST i1 Assessments only score Implemented, whereas HITRUST r2 Assessments score Policy, Procedure, and Implemented by default (with the option of adding Measured and Managed, if desired). Self Assessments can score as many (or as few) maturity levels as desired for the purposes of the assessment (i.e., audit readiness).
Level 1 “Policy” Organizational Evaluation Criteria
The first level of HITRUST maturity concerns the extent to which organizations have formalized, distributed, and maintained explicit and comprehensive policies pertinent to all HITRUST CSF controls. There are six organization-level evaluation criteria for the first HITRUST maturity level:
- Formalized, current standards (“shall” or “will” statements) are available to staff.
- Policies establish ongoing risk monitoring and assessment of security practices’ efficacy.
- Policies explicitly cover all operations, facilities, personnel, and systems within scope.
- Policies must be approved by stakeholders, including but not limited to affected parties.
- Policies explicitly delineate management structure, assign security responsibilities, and establish a stable foundation for control implementation, assessment, and compliance.
- Policies establish particular disciplinary actions, such as penalties, for infractions.
These criteria establish a foundation for all later levels. However, the closest relationships exist between policies and procedures (at Level 2) and the implementation of both (at Level 3).
Together, the first three maturity levels comprise the core levels scored by default in risk-based HITRUST r2 Assessments, which validate compliance for up to two years. As such, they are the most critical levels to account for during implementation and overall certification preparation.
Requirement Statement-level Criteria at Maturity Level 1
At each level, “requirement statement-level criteria” condense the organizational criteria down into specific questions applicable to any given HITRUST control. At Level 1, these include:
- Do policies exist that are “formal” and “up-to-date”? Do these policies contain explicit “shall” or “will” statements for each element of the given requirement statement?
- Do policies explicitly cover all major components in scope for the organization?
- Were all policies approved by the proper authorities and communicated to all staff?
These questions build on each other; the second and third assume a “yes” answer to the first.
Level 2 “Procedure” Organizational Evaluation Criteria
The second level of HITRUST maturity concerns the specific procedures prescribed in company policies pertinent to all HITRUST CSF controls. Level 2 builds upon Level 1, measuring documented procedures’ scope relative to all elements of a given control’s implementation.
There are six organization-level evaluation criteria for the second HITRUST maturity level:
- Formalized, up-to-date, procedures are disseminated to address policy requirements.
- Procedures specify how they are to be performed, where, when, by whom, and on what.
- Procedures define distinct security roles, responsibilities, and expected behaviors for:
- Owners and users of assets
- Information security personnel
- All management and executives
- Information security administrators
- Procedures identify which persons should be contacted for guidance on security matters.
- Procedures log control implementations, including factors like rigor in their application.
- Procedures are communicated clearly to all persons who are required to follow them.
The language across Level 2 mirrors Level 1; the former governs the prescriptive, specific elements broken down across and within the general policies governed by Level 1.
Requirement Statement-level Criteria at Maturity Level 2
At Level 2, the questions about the language used in individual procedure descriptions include:
- Do procedures exist that are “formal” and “up to date”? And do these procedures specify implementation protocols and standards for all elements of the requirement statement?
- Do procedures specify relevant operational aspects (how, when, by who, on what, etc.)?
- Do procedures explicitly outline responsibilities and expectations for all stakeholders?
- Do procedures address all elements of a given requirement statement for all systems?
- Are procedures for requirement statements available to persons who must follow them?
- Are all procedures approved by management or any other appropriate authority?
HITRUST Levels 1 and 2 are similar at the requirement statement level, just like the organizational level. Companies may consider the two Levels’ criteria as complementary.
Level 3 “Implemented” Organizational Evaluation Criteria
The third level of HITRUST maturity concerns the actual implementation of all procedures. Level 3 focuses on the accuracy and fidelity respective to security policies and their general efficacy.
There are just three organization-level evaluation criteria for the third HITRUST maturity level:
- All security controls are implemented consistently across all systems to which they apply; all required practices are also reinforced through thorough awareness training.
- Nonstandard or ad hoc approaches to security ends are minimized and discouraged.
- Controls are tested upon implementation to assess whether they operate as intended.
Implementations must build on sound policies and procedures to guarantee their pragmatic efficacy. Implemented is the last maturity level scored by default in r2 Assessments; it is also the only level scored in the 1-year, i1 Assessments. Organizations seeking moderate cybersecurity assurance for moderate effort and preparedness should prioritize this level as most critical.
Requirement Statement-level Criteria at Maturity Level 3
The criteria above condense further into just two specific questions at HITRUST Level 3:
- Are all elements of all requirement statements implemented consistently across the exhaustive scope of applicable system elements? Are they implemented across all physical and logical systems used by all third parties, supporting internal workflows?
- Are existing ad hoc approaches applied on a case-by-case basis and discouraged?
Despite the dearth of criteria here, Level 3 is still challenging. The first of these questions is the most comprehensive within the entire framework aside from Level 5’s omnibus question.
Level 4 “Measured” Organizational Evaluation Criteria
The fourth level of HITRUST maturity concerns assessment metrics for all controls’ efficacy in practice over time. This is similar to other frameworks’ criteria, such as AICPA’s internal control protocols. HITRUST’s criteria are distinct in prescribing long-term, continuous monitoring, both respective and adaptive to evolving risk environments, per 10 organizational evaluation criteria:
- Routine assessments evaluate both the adequacy and effectiveness of all controls.
- Tests ensure policies and procedures function as intended to enforce data privacy.
- Frequent self-assessments evaluate adequacy and effectiveness of all controls.
- Independent audits do not replace internal evaluations by management or executives.
- Data from past security incidents provide insights on vulnerabilities, threats, and risks.
- All potential and actualized past threats are re-evaluated and analyzed continuously.
- Specific requirements for frequency and type of testing inform the assessment schedule.
- The rigor and frequency of individual controls’ tests depend on risks pertinent to controls.
- Cost-benefit and similar analyses are as precise and accurate as they can possibly be.
- Assessment policies establish status metrics for security programs and investments.
Level 4 comprises the most criteria of any level. Requirements for ongoing monitoring and adaptation can prove especially challenging for companies accustomed to fewer audits.
However, this level is not scored by default in HITRUST r2 Assessments—neither is Level 5. An organization may still choose to score them, though, if heightened security assurance is desired for other regulatory needs, to satisfy stakeholder demands, or create a competitive advantage.
Requirement Statement-level Criteria at Maturity Level 4
The organizational criteria for Level 4 become five questions on specific controls’ measurement:
- Are routine self-assessments performed, collecting metrics to evaluate the adequacy and effectiveness of controls relative to applicable requirement statement language?
- Are specific evaluation requirements explicitly documented and effectively implemented?
- Do individual controls’ measurements depend on risks pertinent to the specific controls?
- Do assessments include supporting documentation addressing what is to be tested, by whom, how to conduct data collection and reporting, and how often?
- Do assessment metrics track adequacy and effectiveness over time? Are expected goals, methods, and thresholds explicitly and clearly established rather than implied?
Curiously, Level 4’s abundance of organizational criteria does not translate into a similarly burdensome set of requirement statement-level questions.
Level 5 “Managed” Organizational Evaluation Criteria
The fifth and final level of HITRUST maturity concerns ongoing management in response to risks and irregularities identified through monitoring. It gauges an institution’s ability to analyze root causes behind risks, mitigate them, and prevent similar future incidents. In total, this includes nine organization-level evaluation criteria:
- Corrective actions are swift and effective; they address identified weaknesses, pertinent to potential or actualized security incidents and governmental or third-party alerts.
- All policies, procedures, implementations, and assessments are subject to improvement.
- Security controls and protocols are fully integrated into capital or budget considerations.
- Enterprise security programs aim for and achieve security outcomes cost-effectively.
- All relevant security vulnerabilities, threats, and risks are both understood and mitigated.
- Controls are dynamic, adapting to environmental security threats as they emerge.
- All relevant decision-making factors into mission impact analysis alongside risk and cost.
- As needs arise, efficient alternatives to security controls are identified and implemented.
- Performance metrics for security programs and investments are met or exceeded.
These criteria prioritize security needs alongside business ones because seemingly small security incidents can cause irreparable damage to the most successful businesses.
Like with Level 4, Managed is only necessary if organizations seek security assurance beyond what a baseline HITRUST r2 Assessment provides (e.g., for compliance or competitiveness).
Requirement Statement-level Criteria at Maturity Level 5
Finally, the questions applied to individual requirement statements for controls include:
- Is there a distinct mechanism explicitly defined for tracking all security-relevant issues?
- These include but are not limited to mitigation practices taken to address them.
- When weaknesses are identified, are corrective or other risk treatment actions applied to them? Are all elements of applicable requirement statements addressed in the actions?
- This pertains to all incidents, including both potential and actualized threats.
- When escalation practices are implemented, are there metrics provided to management to judge the practices’ efficacy? Is there a review process management can engage?
- Do all security-relevant decisions consider mission impact alongside cost and risk level?
Answering these questions affirmatively about all applicable controls can lead to HITRUST certification at full maturity. But first, companies need to implement the HITRUST CSF.
HITRUST CSF Controls Subject to the HITRUST Levels’ Criteria
The HITRUST Levels’ criteria are applied to Controls from the CSF framework. This occurs during assessment, which grades out specific requirements within Controls with tiered scores corresponding to the percentage of affirmative answers to the questions detailed above.
In particular, MyCSF assessment measures an organization’s implementation of Control Specifications, also titled “References” (156 total). These are distributed across the 14 Control Categories and their 49 Objectives. The Control Categories break down as follows:
- Category 0.0 Infosec Management Program – Overall programmatic oversight, corresponding roughly to Level 1 and comprising one Objective and one Reference
- Category 01.0 Access Control – Methods for restricting access to sensitive data via authentication and identity management, per seven Objectives and 25 References
- Category 02.0 Human Resource Security – Safeguards in personnel management, including before, during, and after employment, per four Objectives and nine References
- Category 03.0 Risk Management – Policies and procedures for identifying, analyzing, mitigating, responding to, and preventing risks, per one Objective and four References
- Category 04.0 Security Policy – More detailed specifications for security governance, corresponding roughly to Levels 1 and 2, comprising one Objective and two References
- Category 05.0 Infosec Organization – Protocols for safe inventory management for sensitive data, including safe removal thereof, per two Objectives and 11 References
- Category 06.0 Regulatory Compliance – Requirements for certification or compliance with any applicable regulatory frameworks, per three Objectives and ten References
- Category 07.0 Asset Management – Protocols for safe inventory management for all company assets, including safe removal thereof, per two Objectives and five References
- Category 08.0 Physical / Environmental Security – Protections that establish secure perimeters and physical access restrictions, per two Objectives and 13 References
- Category 09.0 Communications / Operations Security – Protections for network traffic on both internal and public networks, per ten Objectives and 32 References
- Category 10.0 Acquisition, Development, and Maintenance – Safeguards for the onboarding of security-relevant systems, per six Objectives and 13 References
- Category 11.0 Infosec Incident Management – Incident response protocols for minimal impact and swift, full recovery, per two Objectives and five References
- Category 12.0 Business Continuity Management – Procedures to maintain business functionality during or shortly after an incident, per one Objective and five References
- Category 13.0 Infosec Privacy Practices – Safeguards to ensure confidentiality and privacy for personally identifiable data, per seven Objectives and 21 References
Regardless of what kind of assessment you engage in (i1, r2, etc.), how many controls you need to implement, and to what level, it is critical to understand the entire scope of the CSF.
RSI Security: Certification Advisory at All HITRUST Levels
Companies seeking HITRUST certification because of an industry requirement or client request may find implementation challenging without professional help. RSI Security offers dedicated HITRUST advisory services ranging from guided implementation to assessment at all HITRUST levels. Contact RSI Security today to understand and improve your cybersecurity maturity!