banner image for i1 cert

HITRUST i1 Assessment Control Selection Leverages Security Best Practices and Threat Intelligence

The i1 is a “best practices” assessment recommended for situations that present moderate risk. The i1 is a new-class of information security assessment that is threat-adaptive with a control set that evolves over time to deliver continuous cyber relevance. The i1 is designed to provide higher levels of transparency, integrity, and reliability over existing moderate assurance reports, with comparable levels of time, effort, and cost. A HITRUST i1 Readiness Assessment is also available.

The design and selection of the controls for the HITRUST Implemented 1-year (i1) Assessment puts it in a new class of information security assessment that is threat-adaptive – designed to maintain relevance over time as threats evolve and new risks emerge, while retiring controls no longer deemed material.

The HITRUST i1 Assessment is the first information security assessment of its kind with attributes not available through other assurance programs:

  • Designed to maintain relevant control requirements to mitigate existing and emerging threats and provide updates as new threats are identified—it is threat-adaptive, prescriptive, and focused on controls relevant to risk
  • Designed to sunset controls that have lost relevance and have limited assurance value based on effort required to comply or assess
  • Its unique controls selection and assurance program design deliver a higher level of reliability than other moderate assurance options
  • The level of time and effort to complete is comparable to other moderate assurance options in the market
  • Offers a forward-looking, 1-year certification

As the HITRUST i1 was designed around relevant information security risks and emerging cyber threats, it is not surprising it provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP). HITRUST will evaluate security controls and review threat intelligence data no less than quarterly, and for each subsequent major and minor release of the HITRUST CSF framework, to ensure the HITRUST i1 Assessment requirement selection remains relevant over time.

Additional i1 Features

  • Number of Control Requirement Statements: 219 Static*
  • Flexibility of Control Selection: Pre-Set Controls that Leverage Security Best Practices and Threat Intelligence
  • Evaluation Approach: 1×5: Control Implementation Only
  • Level of Effort / Level of Assurance Conveyed: Moderate (Relative to HITRUST Risk-based 2-year r2 Certification)
  • Certifiable Assessment: Yes, 1 -year
  • 4th-Party Performed Controls: Allows Carve-Outs or Inclusion
  • Addresses Shared Responsibilities Via Internal and External Inheritance: Yes
  • Ability to Share Assessment Results with Relying Parties through the HITRUST Results Distribution System: Yes

*A HITRUST i1 Validated Assessment performed using the HITRUST CSF v9.6 framework includes 219 control requirements, however to address emerging cyber threats in the future, the number of requirements included in i1 assessments may change over time.


Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. To get started streamlining your information protection efforts, DOWNLOAD THE HITRUST CSF AT NO CHARGE!


Chat Now

This is where you can start a live chat with a member of our team