Advisories

HAA 2024-001: i1 Rapid Recertification Release

Written by HITRUST | Feb 28, 2024 4:35:31 PM

Overview
In January 2023, HITRUST announced the Rapid Recertification option for qualifying i1 Assessments which provides an accelerated way to obtain your next i1 Certification. The i1 Rapid Recertification Assessment is now available for creation in MyCSF.

Leveraging the i1 Rapid Recertification Assessment
The i1 Rapid Recertification Assessment may be leveraged by organizations that meet all the following conditions:

  • Assessed Entities with an i1 Validated Assessment with Certification on v11 or greater, must be in a full MyCSF subscription. Assessed Entities who used the Lite Bundle must upgrade to at least a Professional subscription to complete an i1 Rapid Recertification Assessment.
  • The control environment has not materially degraded since the full i1 Assessment was performed. See The HITRUST Approach to i1 Rapid Recertification and the HITRUST Assessment Handbook, Chapter 15.5 for more information about control degradation.
  • The Assessed Entity has an available assessment object in MyCSF.

Eligibility and Creation Timeline for the i1 Rapid Recertification Assessment

  • 180 days prior to the expiration of the active i1 Certification, the Assessed Entity and External Assessor will be notified that the i1 Rapid Recertification Eligibility Questionnaire is available to be completed within the full i1 Assessment in MyCSF.
  • When the Eligibility Questionnaire is completed, and it is determined that the Assessed Entity is eligible for an i1 Rapid Recertification:
    • The Assessed Entity may use an i1 Rapid Recertification Report Credit to schedule a QA Reservation for the i1 Rapid Recertification Assessment within the full i1 Assessment. If needed, the QA Reservation may be modified or canceled within the full i1 Assessment.
    • 120 days prior to the expiration of the active i1 Certification, the i1 Rapid Recertification Assessment object will be autogenerated in MyCSF and the Assessed Entity and External Assessor will be notified.
      • At that time, the i1 Rapid Recertification will contain the requirement statements described in the next section, and if offered as part of your subscription, an offline assessment file can be downloaded.
      • The 120-day period allows for a 30-day planning period and a maximum 90-day fieldwork period.
      • If the Assessed Entity scheduled a QA Reservation within the full i1 Assessment, it will be transferred to the i1 Rapid Recertification Assessment. If the Assessed Entity did not schedule a QA Reservation within the full i1 Assessment, the QA Reservation can be scheduled within the i1 Rapid Recertification Assessment.
        • The QA Reservation may be modified or canceled within the i1 Rapid Recertification Assessment up to 30 days prior to the reservation date without a penalty.

HITRUST CSF Requirements Included in i1 Rapid Recertification Assessments
Just like a full i1 Assessment, the i1 Rapid Recertification Assessment consists of all i1 requirement statements for the current CSF version at the time the i1 Rapid Recertification Assessment is created. The i1 Rapid Recertification Assessment is different in that some requirement statements are not required to be evaluated and may instead have scores carried over from the full i1 Assessment.


Requirement Statements that must be assessed in the i1 Rapid Recertification:

  • NEW: If the i1 Rapid Recertification Assessment is created using a newer CSF version than that which was utilized for the Assessed Entity’s full i1 Assessment, there may be additional requirement statements included in the i1 Rapid Recertification due to the quarterly threat analysis that impacts the i1 requirement statement selection.
  • Sample: A sample of 60 requirement statements that were scored in the full i1 Assessment. The sample of 60 requirement statements includes all requirement statements that required a CAP in the full i1 Assessment.
  • N/As: All requirement statements that were marked as N/A during the full i1 Assessment.

All other i1 requirement statements for the current CSF version are included within the i1 Rapid Recertification Assessment object but are not required to be assessed. By default, these requirement statements appear within the assessment in a read-only state and include the scores that were entered in the full i1 Assessment.

If the Assessed Entity would like to show improvement on a requirement statement that is not already required to be assessed in the i1 Rapid Recertification, the Assessed Entity may optionally include any of these requirement statements by toggling the requirement statement from read-only to an editable state.

Additional resources
For more information about the i1 Rapid Recertification and The HITRUST Approach to i1 Rapid Recertification. For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.