The Factors webform allows the Assessed Entity to tailor the requirement statements included in the r2 assessment based on the assessed organization’s inherent risk. The factor questions are organized in the following categories:
- General Factors: General information about the Assessed Entity.
- Organizational Factors: Information around the data held and processed in the in-scope environment.
- Geographic Factors: Geographic reach of the in-scope system(s) and facility(s).
- Technical Factors: IT information around the in-scope systems and facility(s).
- Compliance Factors: Regulatory or Compliance frameworks that the Assessed Entity may optionally include in their assessment.
6.7.1 For r2 assessments, the Factors webform in MyCSF must be completed by the Assessed Entity. Factor questions are not available on i1 or e1 assessments because the HITRUST CSF requirement statements in i1 and e1 assessments are curated by HITRUST.
6.7.2 All factor questions in the General, Organizational, Geographic, and Technical categories must be completed. Compliance factor questions are optional.
6.7.3 When a factor question is answered “No”, the rationale for answering “No” must be provided. The rationale should directly answer the factor question and be clear, concise, and free of spelling and grammatical errors.
For a list of all factor questions and guidance for responding to factors see https://help.mycsf.net/factors/.