Advisories

HAA 2023-005: i1 Rapid Recertification

Written by HITRUST | Mar 5, 2024 10:46:07 AM

Overview
HITRUST is introducing the Rapid Recertification option for i1 assessments which provides an accelerated way to obtain your next i1 certification.

The HITRUST i1 Rapid Recertification Assessment allows Assessed Entities and their External Assessors to evaluate a selection of i1 requirement statements to demonstrate that the control environment has not materially degraded since the previous i1 Certification was obtained. Upon successfully demonstrating that the control environment has not materially degraded, the Assessed Entity is permitted to roll forward scores from their previous, certified i1 Assessment for the remaining requirement statements – thus reducing the amount of testing required to complete the assessment. The i1 Rapid Recertification results in the same i1 Assessment Reports and i1 Certification as a full i1 Assessment.

Leveraging the i1 Rapid Recertification Assessment
The i1 Rapid Recertification assessment may be leveraged by organizations who meet all the following conditions:

  • The Assessed Entity currently holds an i1 Certification based on CSF v11 or later.
  • The Assessed Entity intends to assess the same scope assessed in the prior i1 assessment.
  • No significant changes have occurred since the previous i1 Certification date in the Assessed Entity’s business or security policies, processes, controls, hosting locations, or technologies.
  • The control environment has not materially degraded since the previous standard i1 Assessment was performed.
  • The Assessed Entity has an available assessment object in MyCSF.

When Assessed Entities are not eligible to complete an i1 Rapid Recertification Assessment, a full i1 Assessment must be completed to obtain an i1 Certification.

Key similarities between the i1 Assessment and the i1 Rapid Recertification Assessment
The i1 Rapid Recertification Assessment is comparable to the full i1 Assessment in many ways, the most notable of which include:

HITRUST CSF requirements included in i1 Rapid Recertification Assessments
Just like a full i1 Assessment, the i1 Rapid Recertification Assessment consists of all i1 requirement statements for the current CSF version at the time the i1 Rapid Recertification Assessment is created. The i1 Rapid Recertification Assessment is different in that some requirement statements are not required to be evaluated and may instead have scores carried over from the previously completed full i1 Assessment. The following sections detail the selection of requirement statements that are required to be evaluated during the i1 Rapid Recertification Assessment and those that are not.

 

 Requirement statements that are required to be evaluated during the i1 Rapid Recertification Assessment

  • If the i1 Rapid Recertification Assessment is created using a newer CSF version than that which was utilized for the Assessed Entity’s full i1 assessment, there may be additional requirement statements included in the i1 Rapid Recertification due to the quarterly threat analysis that impacts the i1 requirement statement selection. The additional requirement statements included in the newer CSF version are required to be evaluated in the i1 Rapid Recertification Assessment.
  • A sample of 60 requirement statements that were scored (not N/A) in the full i1 Assessment need to be evaluated in the i1 Rapid Recertification Assessment Note that any requirement statements that are not included in the i1 requirement selection for the current CSF version are excluded from this sample.
  • Requirement statements that were marked as N/A during the full i1 assessment are required to be reviewed during the i1 Rapid Recertification Assessment to confirm that the N/A rationale remains accurate. Note that any requirement statements marked N/A that are not included in the i1 requirement selection for the current CSF version are excluded.
  • Requirement statements that required a CAP during the full i1 Assessment are required to be assessed during the i1 Rapid Recertification Assessment. Note that any requirement statements requiring a CAP that are not included in the i1 requirement selection for the current CSF version will be excluded.

Requirement statements that are not required to be evaluated during the i1 Rapid Recertification Assessment
All other i1 requirement statements for the current CSF version are included within the i1 Rapid Recertification Assessment object but are not required to be assessed. By default, these requirement statements appear within the assessment in a read-only state and include the scores that were entered in the previous i1 Assessment. The Assessed Entity may optionally include any of these requirement statements by toggling the requirement statement to an editable state.

Detection of Control Degradation
Before creating an i1 Rapid Recertification Assessment, the Assessed Entity must attest that the control environment has not materially degraded since the full i1 Assessment was performed.

During the performance of the i1 Rapid Recertification Assessment, MyCSF monitors the scoring of requirement statements that are evaluated in the current i1 Rapid Recertification Assessment and compares the scores to the previously completed i1 Assessment.

  • If scores are lowered for two or fewer requirement statements, the i1 Rapid Recertification assessment may be submitted to HITRUST.
  • If MyCSF detects either three or four requirement statements with lower scores in the i1 Rapid Recertification Assessment, the Assessed Entity and External Assessor will be presented with two options for how to proceed: Option 1: Expand the sample of requirement statements to be evaluated in the i1 Rapid Recertification Assessment. If this option is selected, an additional sample of 60 requirement statements will be required to be assessed in the i1 Rapid Recertification Assessment. When the additional 60 requirement statements are introduced, MyCSF will allow a total of five requirement statements with lower scores than the previously completed i1 Assessment. If MyCSF detects six or more requirement statements with lower scores in the i1 Rapid Recertification Assessment, option 2 must be followed. Option 2: Complete a full i1 Assessment. If this option is selected, the i1 Rapid Recertification Assessment may be converted to a full i1 Assessment so that the scoring and documentation already entered in MyCSF is retained.
  • If MyCSF detects five or more requirement statements with lower scores in the i1 Rapid Recertification Assessment, a full i1 Assessment will be required to be completed. If this occurs, the i1 Rapid Recertification Assessment may be converted to a full i1 Assessment so that the scoring and documentation already entered in MyCSF is retained.

HITRUST’s Quality Assurance (“QA”) Review of i1 Rapid Recertification Assessments
i1 Rapid Recertification Assessments feature the same high quality of deliverables as full i1 Assessments, as ensured through HITRUST’s robust Quality Assurance process using HITRUST’s Assurance Intelligence Engine. Additionally, just like on full i1 Assessments, HITRUST’s QA review of i1 Rapid Recertification Assessments must be scheduled using the HITRUST QA Reservation System. Full i1 Assessments and i1 Rapid Recertification Assessments use the same type of report credits to book a reservation.

HITRUST performs a sample-based QA review of the requirement statements in the i1 Rapid Recertification Assessment in much the same manner as a full i1 Assessment. The notable difference is that HITRUST does not QA any requirement statements with scores that were carried from the previous assessment.

Detection of control degradation during QA
If scores are lowered during the QA review process, HITRUST will consider whether the scores have been lowered due to an issue with the operation of the control or due to an error in testing approach or testing documentation. Scores lowered due to an error in testing approach or testing documentation are not considered to be control degradation. Only scores lowered due to an issue with the operation of the control will count toward the threshold for control degradation.

If scores are lowered due to an issue with control operation, there is a possibility that the threshold for number of scores lowered to indicate material degradation is met during the QA review process. If this occurs, the Assessed Entity and External Assessor will be required to expand the sample of requirement statements evaluated in the i1 Rapid Recertification Assessment or complete a full i1 assessment according to the guidelines presented in the previous section.

HITRUST QA timeline for i1 Rapid Recertification Assessments
HITRUST’s established i1 post-submission service level agreement (SLA), not greater than 45 business days with HITRUST, also applies to the i1 Rapid Recertification Assessment. Should HITRUST exceed the stated SLA, customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued. i1 Rapid Recertification submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions.

CAPs, Scoring, and Certification Thresholds on i1 Rapid Recertification Assessments
The scoring and certification thresholds for i1 Rapid Recertification Assessments are the same as those for full i1 Assessments. For the requirement statements that were not assessed during the i1 Rapid Recertification Assessment, the scores from the previous i1 Assessment are utilized for the calculation of average domain scores and the identifications of CAPs and gaps.

Assessment Reports
The i1 Rapid Recertification Assessment results in the same assessment reports that are issued for a full i1 assessment. These reports can be shared through the HITRUST Assessment XChange and assessment results can be shared through the HITRUST Results Distribution System.

Implementation and Timeline
A subsequent advisory will provide additional details and announce the release of the i1 Rapid Recertification Assessment in MyCSF.

Additional Resources
For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.