ASSESSMENTS & CERTIFICATIONS / r2

Tailored Cybersecurity. Trusted Assurance.

Demonstrate deep cybersecurity maturity with a tailorable, threat-adaptive assessment trusted by leading organizations, regulators, and cyber insurers.

  • Request Info
    • Certifcation r2
    OVERVIEW

    HITRUST r2 – Tailored, Comprehensive Cybersecurity Certification for High-Value Systems

    Designed for organizations that manage highly sensitive data or operate critical systems, the HITRUST r2 delivers tailored, risk-based validation aligned with the most demanding cybersecurity and regulatory requirements. It’s the gold standard for scalable, threat-adaptive assurance.

    Why it matters:

    • Deliver the highest level of certifiable cybersecurity assurance available.
    • Tailor control selection to your organization’s risk profile, systems, and regulatory requirements.
    • Demonstrate cybersecurity maturity through scored evaluation and third-party validation.
    • Support customer, regulator, and cyber insurer trust with transparent, defensible assurance.

    Who benefits?

    • Organizations that manage sensitive data or operate high-risk systems
    • Vendors serving regulated industries like healthcare, finance, or government
    • Enterprises that must comply with multiple cybersecurity frameworks
    • Organizations advancing from i1 to demonstrate full-program maturity and assurance
    See what makes HITRUST r2 the most rigorous certification available.

    Download the data sheet to explore the r2's tailored controls, threat-adaptive protection, and unmatched assurance.

    Download
    BENEFITS

    Assurance Without Exception – The Strategic Benefits of HITRUST r2

    HITRUST r2 delivers tailorable, threat-informed validation that proves deep cybersecurity maturity and multi-regulatory compliance.

    product-icon1
    Applies Mapped Controls Across 60+ Standards

    Support broad compliance with authoritative mappings across major regulations and frameworks.

    Controls
    Tailors Controls to Risk, Systems, and Scope

    Select the right controls based on your organization’s environment, threats, and regulatory needs.

    Optimize Time
    Builds on Prior HITRUST Work for Efficiency

    Save time and effort by inheriting validated controls across assessments.

    Certification
    Demonstrates the Highest Level of Assurance

    Meet the most rigorous cybersecurity and compliance requirements with third-party validation.

    Automated Underwriting
    Enables Better Cyber Insurance Outcomes

    Improve access to cyber insurance with streamlined underwriting and stronger security proof.

    Risk Management icon
    Uses Threat Intelligence to Stay Current

    Keep controls aligned with emerging threats through continuous updates informed by breach data.

    Sample HITRUST r2 Report

    Download a sample HITRUST validated r2 report.

    Download
    HIGHLIGHTS

    Leading organizations use the HITRUST r2 to prove their cybersecurity maturity.

    See how Glooko used HITRUST r2 for business growth and operational efficiency.

    Read Case Study
    FAQs

    Frequently Asked Questions

    How does HITRUST r2 differ from the i1 and e1 assessments?
    While e1 and i1 provide foundational and moderate assurance respectively, r2 offers the highest level of assurance. It is fully risk-based, customizable, and evaluates policy, procedure, and implementation across a broader set of controls. r2 is best suited for organizations with complex systems and elevated risk exposure.
    I have seen this certification referred to in the past as “risk-based”. What does that mean?

    "Risk-based" means the r2 assessment tailors control requirements for your organization’s specific risk factors—such as system complexity, regulatory obligations, and data sensitivity. The result is a targeted, prescriptive assessment that ensures the right controls are applied where they matter most.

    How long is HITRUST r2 certification valid?

    The HITRUST r2 certification is valid for two years. Organizations must complete an interim assessment after one year to confirm continued compliance. A full assessment is required at the end of the two-year certification period to maintain status.

    Can HITRUST r2 be used to meet multiple compliance requirements?

    Yes. HITRUST r2 is built on the HITRUST CSF, which maps to 60+ authoritative sources including HIPAA, NIST, ISO, PCI, GDPR, and more. This allows organizations to reduce duplication and align with multiple standards through one harmonized framework.

    The Only Certification Proven to Work

    With a 99.41% breach-free rate among HITRUST-certified environments, HITRUST stands alone in cybersecurity assurance. From third-party risk to internal controls, trust the solution that reduces risk — and proves it.

    Get Started
    Chat

    Chat Now

    This is where you can start a live chat with a member of our team