The HITRUST CSF® is a risk- and compliance-based controls framework which helps organizations to validate the privacy and security of their information systems. As an organization prepares for HITRUST CSF assessments, it must outline the scope of engagement. Determining the scope makes it possible to efficiently evaluate the right data and systems during the given assessment period.

What Is the Purpose of the Scope for HITRUST Engagement?

The concept is simple: the larger the scope is, the more complex the assessment becomes. Clearly, this also increases the time and expense associated with performing assessments. In reality, a full assessment of all information systems is not always viable or necessary for every organization that handles sensitive data.

Breaking up the engagement into smaller-scale assessments allows your company to focus on a limited set of information systems, records, technologies, and personnel. Narrowing the scope establishes boundaries to better manage and control the assessment, targeting specified parameters and security controls. A targeted scope makes the HITRUST CSF Certification process easier, faster, and more cost-effective.

HITRUST Scope Factors

Determining the scope of the engagement depends on these 3 key factors:

  1. Organizational factors – the departments of the organization that will undergo assessment.
  2. Data factors – the data, records, and reports used in that specific department;
  3. Systems factors – the systems, technologies, and devices that store, access, and transmit sensitive data.

Organization – Type

Every organization has different security factors based on what they do with sensitive information. The first step in determining the scope of HITRUST engagement is to identify the entity type of your organization as well as the potential security risks.

Organization – Size

The number of records handled will affect the number of requirement statements involved in the HITRUST assessment. Your organization will need to report the number or records in their system.

Organization – Geography

You will need to identify which departments will fall under the assessment engagement and where they are located. You may have an organization where the specific department spans multiple geographical locations, with each facility location performing specific tasks along the process. You will want to evaluate the security risk affecting each of these departments. From this, you can extrapolate the local, state, and federal regulatory standards that apply to your organization.

Organization – Industry

Applicable regulatory standards vary from industry to industry. If your company works in healthcare, banking, finance, retail, or other industries, it will need to demonstrate compliance with a specific set of regulatory requirements.

Data – Type

The HITRUST scope will also take into consideration the types of data that the department uses and the measures in place to securely manage the data.

Data – Access & Usage

Another factor is related to who is able to access the data. To define the scope, you should outline the personnel who have access to data, how it is used, and how it is treated after the information is no longer needed.


In order to define the HITRUST scope parameters, your team must document how the systems within the scope process, store, and transmit data. Factors including third-party access to data, the use of mobile devices, the number of users, and daily transactions will impact the controls applicable to the system.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


How to Scope a HITRUST Engagement

Here are the steps and documentation which will help to correctly define the scope of HITRUST engagement. Together, a data flow diagram, IT asset inventory, network diagram, and systems management document can help you narrow down the scope of your HITRUST engagement.

Watch this video to learn how to scope a HITRUST engagement using the HITRUST MyCSF® tool.

Data Flow Diagram

A data flow diagram simply tracks the flow of data through the department. It illustrates the following department activities:

  • How data is gathered;
  • Where data is transmitted;
  • How data is stored;
  • How data is processed;
  • How data is removed or destroyed.

This diagram will allow you to identify key risk factors with how data is used, stored, and collected. You can also examine the protocols that are presently in place regarding the disposal of records. By establishing the scope of the data type and usage, you can focus your assessment on the necessary data and its movement through your organization, without losing time analyzing activities that fall outside of what’s necessary for the assessment.

IT Asset Inventory

This step involves diving deep into the technical side of operations in the department undergoing the HITRUST engagement. A thorough network inventory includes:

  • Standalone and network-connected systems,
  • Business administration systems, such as accounting or customer service networks,
  • Infrastructure components, such as routers and firewalls,
  • Mobile devices.

Network Diagram

The goal of building a network diagram is to map connections, system interactions, and data transmission procedures to identify any vulnerabilities or gaps in security measures. You’ll also need to figure out which systems need to be connected on a permanent basis versus devices and technologies that only connect for one-time use.

The diagram provides a visual roadmap of the data environment. Creating a network diagram also allows you to have a greater understanding of how you manage your network and what controls should be put in place to increase network security.

System Management Processes

Outlining system management processes allows you to focus the assessment on those specific measures designed to ensure data security. The aim is to identify the systems which actually perform the process that need to be certified.

See our helpful Glossary of HITRUST CSF Certification.

Establishing Scope Parameters for a Successful HITRUST Assessment

Achieving HITRUST CSF Certification requires understanding the boundaries of what will be evaluated in your organization. If you are getting ready to perform a HITRUST CSF Assessment in your organization and need help to get started, contact I.S. Partners, LLC. We can assist you in establishing scope boundaries and avoid wasting time or money on unnecessarily large or complex assessments. We help companies complete validated assessments and achieve certification.

Request more information from I.S. Partners team members at 215-675-1400 or online through the form below.

Find out more about HITRUST Validated and Readiness Assessment Scoring

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top