Which assessment type is the most tailorable to an organization's risk profile?

Ther2 assessmentis the mostrisk-tailorableof all HITRUST assessment types. Unlike the standardized e1 and i1 assessments, which are designed for essential or moderate assurance, the r2 adapts dynamically based onorganizational, technical, compliance, and operational risk factors. For example, the number of users, systems, or internet-facing components directly impacts the number and type of requirement statements. Regulatory drivers such as HIPAA, PCI-DSS, or GDPR also add requirements, ensuring the assessment aligns with the entity’s unique obligations. This tailoring ensures that organizations with higher risk exposure face more stringent testing, while lower-risk entities are not overburdened with unnecessary controls. Neither interim assessments nor bridge certificates are tailorable—they are point-in-time processes tied to existing validated assessments.