banner image for r2 certification

HITRUST Risk-Based, 2-Year (r2) Validated Assessment Remains the Industry Gold Standard for Information Protection Assurances

The HITRUST Risk-Based, 2-Year (r2) Validated Assessment (formerly named the HITRUST CSF Validated Assessment) is a risk-based and tailorable assessment that continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. The r2 focuses on a comprehensive, prescriptive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements.

The HITRUST r2 Certification is considered the gold standard in the industry, and offers a competitive advantage for customers, as it provides significant assurances that can be relied upon by all stakeholders (e.g., Customers, Regulators, Cyber Insurance Underwriters).

  • The number of control requirement statements in an r2 assessment varies from 198 – 2000 (360 average in scope of assessments), based on inherent risk factors and included authoritative sources (optional)
  • r2 assessments can be tailored to convey assurances over dozens of information protection regulations and standards (including HIPAA, NIST CSF, PCI DSS, GDPR and more)
  • r2 assessments are tailored based on the assessed entity’s inherent risk factors (examples: whether in-scope systems are accessible from the Internet, whether wireless networks are used in the scoped environment, etc.)
  • Full 5×5 PRISMA evaluation using a comprehensive scoring rubric
  • Each HITRUST r2 Validated Assessment Report includes a scorecard detailing an organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework

Additional r2 Features

  • Relative Level of Effort: High level of effort and assurance
  • Evaluation Approach: 3×5 or 5×5; Control Maturity assessment against either 3 or 5 maturity levels
  • Scoring: Policies, Procedures, Implemented, (and optionally) Measured, and Managed
  • Targeted Coverage: NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others
  • Certifiable Assessment: Yes, 2-year certification
  • 4th-Party Performed Controls: Included
  • Addresses Shared Responsibilities Via Internal and External Inheritance: Yes
  • Ability to Share Assessment Results with Relying Parties through the HITRUST Results Distribution System: Yes
  • Complementary Assessments: HITRUST r2 Readiness, Interim, and Bridge Assessments available


Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. To get started streamlining your information protection efforts, DOWNLOAD THE HITRUST CSF AT NO CHARGE!


Chat Now

This is where you can start a live chat with a member of our team