Higher Quality and Reliability at Every Level of Assurance
(New Assessments Available at the End of 2021)
HITRUST CSF Certification is the most reliable information assurance report on the market and made possible by the transparency and consistency in the selection of controls, and in the scoring, and validation of controls by both qualified third-party assessors and the HITRUST Assurance and Quality teams. The Assurance process is rigorous by design to ensure a high level of assurance in the results provided. However, there are many situations where a moderate or low level of assurance is warranted, and organizations are seeking a broader range of assessment options that require less effort and time to perform while still providing a commensurate level of reliability for moderate- to lower-risk scenarios.
To meet the market needs for varying levels of assurance with higher reliability, HITRUST is adding two new assessment offerings. Like the HITRUST CSF Validated Assessment, these new offerings will aid in understanding control effectiveness as well as cyber preparedness and resilience. With the two new additions, the HITRUST assessment portfolio will include:
- The Basic, Current-State (bC) Assessment is a “good hygiene” assessment and offers higher reliability than self-assessments and questionnaires by utilizing the HITRUST Assurance Intelligence Engine™ (AI Engine) to identify errors, omissions, and deceit.
- The Implemented, 1-Year (i1) Validated Assessment is a “best practices” assessment and recommended for situations that present moderate risk or where a baseline risk assessment is needed. The i1 is designed to provide higher levels of transparency, integrity, and reliability over existing moderate assurance reports, with comparable levels of time, effort, and cost. HITRUST Authorized External Assessors will validate i1 Validated Assessments.
- The industry standard HITRUST CSF Validated Assessment is a risk-based and tailorable assessment, which continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. The HITRUST CSF Validated Assessment is renamed the HITRUST Risk-Based, 2-Year (r2) Validated Assessment.
Expanded HITRUST Assessment Portfolio
New: Available December 30, 2021
Current-State Assessment (bC)
1-year (i1) Validated Assessment
2-year (r2) Validated Assessment
(Former Name: HITRUST CSF Validated Assessment)
|Description||Verified Self-Assessment||Validated Assessment + Certification||Validated Assessment +
|Purpose (Use Case)||Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements||A threat-adaptive assessment focused on best security practices with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements||Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements|
|Number of Control Requirement Statements||71 Static||219 Static||2000+ based on Tailoring
(360 average in scope of assessments)
|Flexibility of Control Selection||No Tailoring||No Tailoring||Tailoring|
|Evaluation Approach||1×3: Control Implementation||1×5: Control Implementation||3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels|
|Targeted Coverage*||NISTIR 7621: Small Business Information Security Fundamentals||NIST SP 800-171, HIPAA Security Rule||NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others|
|Level of Assurance**||Low||Moderate||High|
|Relative Level of Effort||0.5||1.0||5.0|
|Certifiable Assessment||No||Yes, 1 Year||Yes, 2 Year|
|Complementary Assessments||None||Readiness||Readiness, Interim, Bridge|
*Targeted Coverage means substantial coverage is intended
** A particular level of assurance (e.g., low, medium/moderate, or high) is generally characterized by the relative level of suitability, impartiality, and rigor in the approach used to specify, assess, and report on the effectiveness of information security and privacy controls and the risks they are intended to manage.
Additional HITRUST Assessment Options:
- HITRUST Risk-based, 2-year (“r2”) Readiness Assessment. A self-attested assessment that is often used to determine security posture and any potential remediation efforts in preparation for a future HITRUST Assessment. Available for use with the HITRUST Implemented, 1-year (“i1”) Validated Assessment and the HITRUST Risk-based, 2-year (“r2”) Validated Assessment.
- HITRUST Interim Assessment for r2 Certification. Organizations with a HITRUST Risk-Based, 2-year (“r2”) Validated Certification Report will need to perform a r2 Interim Assessment at the one-year mark to keep their certification valid.
- HITRUST Bridge Assessment for r2 Certification. Allows organizations to earn a bridge certificate to maintain their HITRUST Risk-based, 2-year (“r2”) Certification Report for an additional 90 days, even if their assessment submission due date is missed.
New Results Distribution System (RDS): Available for All HITRUST Assessments
(Initial Release Planned for Early 2022)
The HITRUST RDS addresses the highly inefficient process of obtaining, interpreting, and analyzing assessment results from third-party vendors. Today, third-party attested security and privacy assessment reports are delivered to the assessed entity in PDF format. In many cases, the assessed entity is asked to share their assessment report with a relying party (e.g., customer, trading partner, or regulator) who then must manually review the report to identify the salient information they need to make better-informed decisions about the risk an assessed entity presents to their organization. The RDS allows for assessed entities to share assessment results through a secure web portal or API so that relying parties can more easily find and leverage the information they need to make better-informed decisions quicker.