The e1 Assessment and accompanying certification is designed to address the need for demonstrable assurances over an organization’s performance of foundational cybersecurity practices and the most critical cybersecurity threats, either via self-assessments or validation by External Assessors. This very narrow focus allows the e1 to move at the speed of business, providing insight into cybersecurity hygiene quickly.

This new assessment can also benefit assessed entities by: (1) serving as a stepping-stone to comprehensive assessments of security maturity and risk management such as the HITRUST i1 or HITRUST r2, or (2) being the targeted “end goal” assurance mechanism for organizations of specific (lower) risk profiles or in certain scenarios such as M&A activity, newly onboarded vendors, or newly implemented IT platforms.

Yes. The e1 Assessment is a replacement for the bC in Version 11 and later of the HITRUST CSF framework, and also in version two of the HITRUST Assessment XChange Third-party Risk Management (TPRM) methodology. Those who already have a bC Assessment underway in MyCSF or the XChange will be able to complete their bC without issue.

The “cyber threat-adaptive” innovation in the HITRUST e1 Assessment is one of the most important benefits that makes it unique. Simply stated, cyber threat-adaptive means that as the threat landscape evolves, the HITRUST CSF framework and e1 requirements will be updated to remain cyber relevant over time to reduce future risk. This cyber threat-adaptive proactivity to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.

For current e1 pricing, contact your HITRUST Product Specialist by calling: 855-448-7878 or emailing: sales@hitrustalliance.net

The ability to perform e1 Assessments in MyCSF became available on 1/18/2023.

All 2023 and later HITRUST Academy courses will cover the e1 in detail.

No distinction. All HITRUST Authorized External Assessor Firms can perform e1, i1, and r2 Assessments.

Yes. For many organizations, the e1 will be the only information protection certification needed. Those organizations will simply perform a HITRUST e1 Validated Assessment annually.

No. HITRUST has no such requirement. The type of HITRUST certification an organization decides to pursue is based on many factors unique to each organization and its stakeholders.

Yes.

Yes. Readiness assessment options exist for e1, i1 or r2 Assessments.

No. Because the e1 is a one-year certification, no interim assessment is appropriate or necessary.

Yes. The e1 is not intended to be an interim assessment replacement, however it will be accepted by HITRUST instead of an interim assessment for organizations holding an r2 certification and opting to go this route. Organizations who wish to use an e1 in lieu of an interim assessment for an r2 certification should notify HITRUST Support of their intentions prior to beginning their e1 assessment.

No. HITRUST will only award bridge certificates to organizations holding r2 certifications.

No, Bridge Assessments cannot be used between r2 and e1 Assessments to close a gap in certification. Bridge Assessments are only available between r2 Assessments. For example, if an r2 Certification expires in July, and an organization cannot achieve an e1 Certification until December, a gap in certification status would exist for the months of August through November.

No. While r2 Assessments can be tailored to include all security control references present in the HITRUST CSF, e1 Assessments cannot. Those seeking the comprehensive HITRUST assessment option will need to perform an r2 Comprehensive Assessment.

No. While certain requirements within domain 19 are included in e1 Assessments, the e1 is designed to focus on cybersecurity only.

No.

All e1 Assessments created against HITRUST CSF v11 have 44 HITRUST CSF requirements. The selection of HITRUST CSF requirements included in an e1 Assessment cannot be tailored using inherent risk factor questions or through adding in regulatory factors such as GDPR. Those seeking a tailorable, risk-based HITRUST assessment option should instead perform an r2 Assessment.

No. HITRUST CSF requirement statements are not included in the free HITRUST CSF PDF download, and the e1 consists of a selection of HITRUST CSF requirement statements curated by HITRUST. Organizations interested in seeing the HITRUST CSF requirements included in an e1 Assessment are encouraged to create an e1 Assessment in MyCSF or to contact HITRUST.

No, they will evolve. The e1 includes controls selected to address emerging cyber threats actively being targeted today. This exercise to renew controls will be reperformed for each subsequent major and minor release of the HITRUST CSF and will result in the e1 requirement selections evolving over time to address the then-relevant cybersecurity threats.

As of Version 11 of the HITRUST CSF:
All HITRUST CSF requirements in the e1 can be found in all i1 and r2 assessments.
All HITRUST CSF requirements in the i1 can be found in all r2 assessments.

Yes. Just like on i1 and r2 Assessments.

Yes. Just like in i1 assessments, the e1 only evaluates “implemented” control maturity (not policy, procedure, measured, or managed). As a result, only the implemented square on the front of the rubric chart along with the full guidelines on the back are used during e1 Assessments. However, e1 assessments minimally consider written policies and/or procedures, as some HITRUST CSF requirements included in the e1 focus on the existence of such documents.

No. Because e1 Assessments (just like i1 assessments) do not include all control maturity levels and instead focus just on the control implementation maturity level, control maturity ratings such as 1-, 3, and 5+ are not used on e1 Assessments. Instead, only scores between 0 and 100 are used on e1 Assessments.

While it may appear that HITRUST raised the bar for certifying an e1 and i1 assessment relative to an r2 Assessment, all HITRUST assessment types actually enforce a very similar certification threshold as shown in the following table. In an r2 Assessment, the highest achievable score when assessing through the Implemented level is a 75. In an e1 and i1 assessment the highest score achievable when assessing through the implemented level is 100. So the certification “bar” is equal for all HITRUST assessment types.

Just like i1 assessments, for an e1 Validated Assessment to achieve certification, no assessment domain’s straight-average score can be below 83. By contrast, for an r2 Validated Assessment to earn an r2 Certification, no assessment domain’s straight-average score can be below 62.

Yes. Just like i1 assessments: The e1 allows for either a “carve-out method” or “inclusive method” for controls performed by separate parties (e.g., cloud service providers). The r2 Validated Assessment only allows the inclusive method.

You can take a few different routes in this scenario, depending on your MyCSF access level:
The first option is to create a new e1 Validated Assessment object in MyCSF and then internally inherit the scoring, commentary, and linked documents present in your i1 or r2 Assessment into your e1 Assessment. Then, complete the remainder of the e1 Assessment as needed and when ready, submit the e1 Assessment object to HITRUST.

A second option is to change your i1 or r2 Assessment object into an e1 Assessment object by modifying the pre-assessment configuration questions. After changing the object’s configuration from i1 or r2 to e1 and refreshing the assessment, it becomes an e1 Assessment object instead of an i1 or r2 Assessment object.

A third option is to clone your r2 Assessment object, then perform the steps outlined in option 2 against the cloned object.

90 days fieldwork maximum, just like i1 or r2 validated assessments.

No. For e1 Assessments, the incubation period for newly implemented and remediated controls is 90 days, the same as for i1 and r2 assessments.

Yes. It’s just like on i1 and r2 Assessments.

Just like i1 and r2 assessments: Yes, if allowed at the assessed entity’s MyCSF subscription level.

Just like i1 and r2 assessments: Evidence supporting any control implementation scores greater than 0 in validated assessments must be either linked or uploaded in MyCSF. Supporting evidence is not required during readiness assessments.

Yes and Yes. However, note that only the implemented level’s scoring can be inherited when inheriting from an e1 Assessment into an r2 Assessment given that e1 Assessments only consider control implementation. This limitation does not absolve those involved in r2 Assessments from either (a) accurately scoring the policy, procedure, and optionally measured and managed levels based on inspection of supporting evidence, or (b) scoring the policy, procedure, and (optionally) measured and managed scores at 0.

While HITRUST anticipates that most organizations who publish their HITRUST assessments for external inheritance will use r2 (or possibly i1) Assessments instead of e1 Assessments, service providers such as CSPs do have the option to only perform e1 Assessments. In this case, their customers/tenants inheriting from them will be limited to inheriting only the implemented scoring and commentary from the e1 and no policy, procedure, measured, or managed scoring will be available for inheritance.

Just like on i1 assessments: On e1 Assessments, HITRUST requires assessed entities to define Corrective Action Plans (CAPs) for all HITRUST CSF requirements meeting the following criteria: the requirement’s implemented maturity level scores less than “fully compliant” and the associated control reference (e.g., 00.a) averages less than 80. Any requirements where the implemented maturity level scores less than “fully compliant” and the associated control reference (e.g., 00.a) averages 80 or more, a gap is identified instead of a CAP.

Yes. It’s just like on i1 and r2 Validated Assessment submissions.

Yes. It’s just like on i1 and r2 Validated Assessment submissions, a QA reservation is required.

Yes and Yes. HITRUST performs a sample-based QA for e1 Validated Assessment submissions much in the same manner that we do for r2 and i1 Validated Assessment submissions. The notable difference is that HITRUST does not QA a sample of requirements with measured and/or managed scores on e1 or i1 submissions (as these assessments do not include the measured and managed control maturity levels).

The time necessary to perform a quality assurance review of any validated assessment submission varies based on the complexity of the assessment, on the quality of the External Assessor documentation, the quality and consistency of the External Assessor’s validation procedures, and on many other factors. However, the established HITRUST e1 post-submission Service Level Agreement (SLA) is not greater than 30 business days with HITRUST (otherwise the customer’s next e1 Validated Assessment report credit is free).

This Service Level Agreement (SLA) is calculated using a measurement called “days with HITRUST”. The measurement is calculated from the earlier of the day that HITRUST begins QA (the day the assessment moves into the Performing QA phase), or the last day of the QA Block from the reservation. Days are counted for any business days where the assessment is in a HITRUST-owned phase before the draft report is posted. Validated Assessment submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions. The days with HITRUST measure are visible to customers as part of the assessment details page within MyCSF. Should HITRUST exceed the stated SLA, customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued.

Yes

No. Just a HITRUST certification.

No, the MyCSF Compliance and Reporting Pack for HIPAA cannot be run against i1 or e1 assessments. The MyCSF Compliance and Reporting Pack for HIPAA can be run against r2 assessments.

The HITRUST Results Distribution System (RDS) allows sharing e1 Assessment results through a web browser and/or API just like for i1 and r2 Assessment results. In addition, e1 PDF deliverables (e.g., the e1 Validated Assessment Report) can be shared through the HITRUST Assessment XChange just like i1 and r2 PDF deliverables.