For all assessment types, Assessed Entities and/or External Assessors will document scores (see Chapter 10 HITRUST Scoring Rubric for detailed scoring information) for each requirement statement by maturity level. These maturity levels are based upon HITRUST’s version of the PRISMA maturity model. The maturity model includes five levels for the r2: Policy, Procedure, Implemented, Measured and Managed (for the i1 and e1, only the Implemented maturity level is scored):
- Policy: The Policy maturity level considers the existence of current, documented information security policies or standards in the Assessed Entity’s information security program and whether they include language that formally requires implementation of the evaluative elements within the HITRUST requirements. A policy is the overall intention and direction as formally expressed by management, most often articulated in documents that record high-level principles or courses of action that have been decided. Policies may provide guidance on specific issues or systems but should not be confused with procedures.
- Procedure: The Procedure maturity level considers the existence of documented procedures or processes developed from the policies and whether they reasonably apply to the Assessed Entity’s systems within scope of the assessment. A procedure is a description of the steps necessary to perform specific operations in conformance with applicable policies.
- Implemented: The Implemented maturity level considers the actual implementation of the policies and whether the Assessed Entity’s control implementation specifications have been applied to all the Assessed Entity’s systems within scope of the assessment.
- Measured: The Measured maturity level considers separate monitoring activities that involve the testing or measurement (metrics) of the control’s implementation and whether they continue to remain effective.
- Managed: The Managed maturity level considers whether corrective action or enhancements are necessary, based on the measurement results.
Please note that within HITRUST r2 assessments, scoring of the Measured and Managed maturity levels is optional. When configuring an assessment, the Assessed Entity will select whether Measured and Managed maturity levels will be evaluated during the assessment.