The Factors webform allows the Assessed Entity to tailor the requirement statements included in the r2 assessment based on the assessed organization’s inherent risk. The r2 assessment factor questions are organized in the following categories:
- General Factors: General information about the Assessed Entity.
- Organizational Factors: Information around the data held and processed in the in-scope environment.
- Geographic Factors: Geographic reach of the in-scope system(s) and facility(s).
- Technical Factors: IT information around the in-scope systems and facility(s).
- Compliance Factors: Regulatory or Compliance frameworks that the Assessed Entity may optionally include in their assessment.
6.7.1 For r2 assessments, the Factors webform in MyCSF must be completed by the Assessed Entity.
6.7.2 All factor questions in the General, Organizational, Geographic, and Technical categories must be completed. Compliance factors are optionally selected for inclusion within an assessment.
6.7.3 When a factor question is answered “No”, the rationale for answering “No” must be provided. The rationale should directly answer the factor question and be clear, concise, and free of spelling and grammatical errors.
HITRUST i1 and e1 assessments allow the Assessed Entity to optionally select Compliance factors in order to perform a combined assessment of an authoritative source alongside the i1 or e1 requirement statements. A combined assessment results in an Insights Report for each included authoritative source in addition to the i1 or e1 HITRUST CSF reports. Note that the authoritative sources eligible for inclusion within e1 and i1 combined assessments vary based on the CSF version.
6.7.4 For i1 and e1 assessments, the Factors webform in MyCSF may be completed by the Assessed Entity or External Assessor.
6.7.5 For i1 and e1 assessments, the HITRUST CSF i1 and e1 Validated Assessment Reports include only the core i1 or e1 requirement statements (even when a combined assessment with included Compliance factors is performed).
6.7.6 For combined i1 and e1 assessments, each Compliance factor selected requires an Insights Report Credit to be obtained prior to submission of the assessment to HITRUST.
For a list of all factor questions and guidance for responding to factors see MyCSF Help.