Over the years, HITRUST has expanded its portfolio to offer varied certification options. It introduced the HITRUST e1 - 1-year Validated Assessment in early 2023. Let’s dive in to understand more about the e1.
What is the HITRUST e1?
The HITRUST e1 assessment covers the 44 most critical security controls and provides a one-year certification. It can be a great option for startups, organizations with limited risk profiles, or companies that need a first step on their security assurance journeys. Obtaining a HITRUST e1 certification allows organizations to demonstrate that they follow foundational cybersecurity practices.
Why was the e1 introduced?
HITRUST collaborated with security leaders and key stakeholders outside and within the HITRUST ecosystem to understand organizations’ challenges. Some, like lower-risk organizations, needed an alternative to questionnaires and unreliable attestations that would allow them to provide demonstrable proof that they follow critical security practices.
The e1 assessment was launched to fill this need. It is a solution that requires less time and effort while providing the level of confidence that a HITRUST certification offers. It follows the same quality assurance as other HITRUST assessments, including validation by an external assessor, because it is based on the same framework. The e1 delivers HITRUST qualities of transparency, accuracy, integrity, and consistency that build confidence and trust. Organizations saw the value, and the launch of the HITRUST e1 was met with immediate demand.
How can an e1 help in achieving other HITRUST certifications?
Because all HITRUST certifications are built on a common framework, efforts from previous certifications can be applied to other certifications. This means that organizations can apply the controls from their e1 certifications to their work to obtain an i1 or r2 certification.
How long does it take to achieve an e1?
Earning an e1 certification can take as little as a few weeks, with the average time for most organizations being around 30 days. Organizations considering an e1 should talk with their assessors about how many hours they typically bill for the pursuit of an e1. They should also discuss the potential to save time and money by inheriting controls from other assessments, including those from their cloud service providers.
How can the e1 support third-party risk management?
Organizations are only as secure as their least secure vendors. To manage the risks posed by third parties, many organizations would like to create meaningful requirements for their vendors to prove that they maintain appropriate security practices. They need tools that are more reliable than questionnaires and subjective attestations like SOC 2. The e1 provides an ideal solution. Organizations can require their vendors to obtain an e1 certification without creating an undue burden or expense for them.
Organizations that already have attestations, like the SOC 2, or are pursuing one, can expand on their existing work to earn an e1. The benefits are the added confidence and recognition of a HITRUST certification without a significant, additional investment of time and resources.
What will happen to the e1 in the future?
The HITRUST e1 is based on the living, cyber threat-adaptive HITRUST CSF, which maps to the controls needed to defend against the latest and emerging threats. This means that the controls included in the e1 in the future will be the most critical ones to keep up with the evolving threat landscape.