For a comparison of the v9.6 i1 requirement statement to the v11.0 i1 requirement statements click here.

The i1 Assessment is designed to address the need for a continuously-relevant cyber security assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware and phishing. The design and selection of the controls for the i1 Assessment puts it in a new class of information security assessment that is “threat-adaptive” – developed to maintain relevance over time as threats evolve and new risks emerge, while retiring controls no longer deemed material. The i1 Assessment is intended for organizations needing a moderate level of assurance that delivers full transparency, accuracy, consistency, and integrity.

The “cyber threat-adaptive” innovation in the HITRUST i1 Assessment is one of the most important benefits that makes it a strong Leading Security Practices assurance. Simply stated, cyber threat-adaptive means that as the threat landscape evolves, the HITRUST CSF framework and i1 requirements will be updated to remain cyber relevant over time to reduce future risk. This threat-adaptive proactivity to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware, brute force, and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.

Yes. For many organizations, the i1 will be the only information protection certification needed. Those organizations will simply perform a HITRUST i1 Validated Assessment annually. Using CSF v11, HITRUST offers a Rapid Recertification for i1 Assessments which streamlines achieving the next i1 1-year Certification. i1 Rapid Recertification can be used every other year between full i1 Assessments.

The Rapid Recertification option for i1 assessments provides an accelerated way to recertify. The Rapid Recertification allows Assessed Entities and their External Assessors to evaluate a sample of requirement statements that were scored in the original i1 Assessment. Upon successfully demonstrating that the control environment has not materially degraded, the Assessed Entity is permitted to roll forward scores from their certified i1 Assessment for the remaining requirement statements – thus reducing the amount of testing required to complete the assessment. Requirement statements that required a CAP during the full i1 Assessment are required to be assessed during the i1 Rapid Recertification Assessment.

For Additional Details, Please Refer to Advisory HAA 2023-005: i1 Rapid Recertification.

No. Because the i1 is a one-year certification, no interim assessment is appropriate or necessary.

All i1 Assessments created against HITRUST CSF v11 have 182 HITRUST CSF requirements. The selection of HITRUST CSF requirements included in an i1 Assessment cannot be tailored using inherent risk factor questions or through adding in regulatory factors such as GDPR. Those seeking a tailorable, risk-based HITRUST assessment option should instead perform an r2 Assessment.

No.

No. While certain requirements within domain 19 are included in i1 Assessments, the i1 is designed to focus on cybersecurity only.

For current i1 pricing, contact your HITRUST Product Specialist by calling: 855-448-7878 or emailing: sales@hitrustalliance.net

The ability to perform i1 Assessments in MyCSF is now available.

All 2022 and later HITRUST Academy courses will cover the i1 in detail.

No distinction. All HITRUST Authorized External Assessor Firms can perform both r2 and i1 Assessments.

No. HITRUST has no such requirement. The type of HITRUST certification an organization decides to pursue is based on many factors unique to each organization and its stakeholders.

Yes.

Yes. Readiness assessment options exist for both i1 and r2 Assessments.

Yes. The i1 is not intended to be an Interim assessment replacement, however it will be accepted by HITRUST instead of an Interim assessment for organizations holding an r2 Certification and opting to go this route. Organizations who wish to use an i1 in lieu of an interim assessment for an r2 Certification should notify HITRUST Support of their intentions prior to beginning their i1 assessment.

No. HITRUST will only award bridge certificates to organizations holding r2 Certifications.

No, Bridge Assessments cannot be used between r2 and i1 Assessments to close a gap in certification. Bridge Assessments are only available between r2 Assessments. For example, if an r2 Certification expires in July, and an organization cannot achieve an i1 Certification until December, a gap in certification status would exist for the months of August through November.

No. While r2 Assessments can be tailored to include all security control references present in the HITRUST CSF, i1 Assessments cannot. Those seeking the comprehensive HITRUST assessment option will need to perform an r2 Comprehensive Assessment.

No. HITRUST CSF requirement statements are not included in the free HITRUST CSF PDF download, and the i1 consists of a selection of HITRUST CSF requirement statements. Organizations interested in seeing the HITRUST CSF requirements included in an i1 Assessment are encouraged to create an i1 Assessment in MyCSF.

The HITRUST i1 is designed to be an evolving, threat-adaptive assessment that leverages threat intelligence and best practice controls to deliver an assessment that addresses relevant practices and emerging cyber threats. HITRUST carefully selected the HITRUST CSF requirements included in i1 Assessments against numerous acceptance criteria, including:

• The i1 is designed to be an industry-agnostic assessment; the HITRUST CSF requirements included in i1 Assessments and their associated illustrative procedures and evaluative elements are also industry-agnostic and do not use any terminology specific to the US federal government or germane to any specific legislation or authoritative source (e.g., does not include terms such as “protected health information”, “cardholder data,” or “authority to operate”).
• HITRUST leveraged threat intelligence data from a leading threat intelligence provider spanning May 2021 to October 2021 to influence the selection of the technically-focused HITRUST CSF requirements included in i1 Assessments. As a result, the i1 includes controls selected exclusively to address cyber threats actively being targeted today. This exercise will be reperformed for each subsequent major and minor release of the HITRUST CSF and no less than quarterly and will result in the i1 requirement selection evolving over time considering the then-relevant cybersecurity threats.
• The i1 is designed to be a combination of good security hygiene controls and cybersecurity best-practice controls. Its design affords a high degree of coverage against authoritative sources generally viewed as security best practices. As a result, the HITRUST CSF requirements included in i1 Assessments provide a high degree of coverage against sources such as the HIPAA Security Rule; NIST SP 800-171; the NAIC Data Security Law; the FTC’s GLBA Safeguards Rule (both the current version as well as the 2021 proposed update); NISTIR 7621: Small Business Information Security Fundamentals; the DOL’s EBSA Cybersecurity Program Best Practices; and the HITRUST CSF requirements included in the HITRUST Basic, Current-state (bC) Assessment.
• All HITRUST CSF assessment domains and CSF control categories are represented in the i1.

No, they will evolve. The i1 includes controls selected to address emerging cyber threats actively being targeted today. This exercise to renew controls will be reperformed for each subsequent major and minor release of the HITRUST CSF and will result in the i1 requirement selections evolving over time to address the then-relevant cybersecurity threats.

As of Version 11 of the HITRUST CSF:
All HITRUST CSF requirements in the i1 can be found in all r2 assessments.
Alt HITRUST CSF requirements in the e1 can be found in all i1 and r2 assessments.

• The HIPAA Security Rule requires organizations to implement various security controls, perform a risk analysis, and establish reasonable and appropriate policies and procedures to comply with HIPAA standards and implementation specifications. To meet these requirements appropriately requires a HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly the CSF Validated Assessment) because the comprehensive assurance methodology used in the r2 Validated Assessment includes a review of controls for implementation, processes, and procedures, whereas other assessments in the HITRUST portfolio do not.
• However, there may be instances when an organization has only implemented or partially implemented controls and does not already have an appropriate set of established policies and procedures, so they want to evaluate progress and effort towards HIPAA compliance. In this instance, an Implemented, 1-year (i1) Validated Assessment would be suitable as an intermediate step towards an r2 Validated Assessment, which is designed to demonstrate full HIPAA compliance.

• HIPAA includes several components (e.g., EDI rules specified in 45 CFR §162) which are outside the scope of any information protection framework. As a result, the HITRUST CSF—as an information protection framework—does not address all HIPAA requirements. However, the HITRUST CSF—again, as an information protection framework— does include controls and requirements which can be used to support assertions of compliance with HIPAA’s security, breach notification, and privacy rule requirements specified in 45 CFR §164.
• Organizations seeking demonstrable compliance with HIPAA’s security, breach notification, and privacy rule requirements specified in 45 CFR §164 are encouraged to explore the HITRUST r2 Validated Assessment offering. The r2 Assessment’s use of inherent risk factors (e.g., whether wireless is included in the scope of the assessment) helps derive a risk-based listing of HITRUST CSF requirements tailored to the organization’s unique needs.
• However, because the i1 was designed as a combination of good cybersecurity hygiene controls and cybersecurity best practices, the i1 affords a high degree of coverage against authoritative sources generally viewed as such. As a result, the HITRUST CSF requirements included in i1 Assessments provide a high degree of coverage against many authoritative sources (including HIPAA Security Rule). The HITRUST CSF requirements included in i1 Assessments created using v9.6 mapping to approximately 95% of the HIPAA Security Rule. The 5% of the HIPAA Security Rule’s requirements which do not have corresponding HITRUST CSF requirements in i1 Assessments—namely 164.316(b)(2)(i), 164.314(b)(1), 164.314(b)(2)(i), 164.314(b)(2)(ii), 164.314(b)(2)(iii), and 164.314(b)(2)(iv)—are those that are too healthcare-industry specific to be included in the i1, which is an industry-agnostic cybersecurity assessment. Also, note that the i1 does not include any HITRUST CSF requirements directly mapping to requirements found in the HIPAA breach notification rule or the HIPAA privacy rule.

Yes. Just like on e1 or r2 Assessments.

Yes. However, the way the rubric is used differs from r2 Assessments because the i1 only evaluates “implemented” control maturity (not policy, procedure, measured, or managed). As a result, only the implemented square on the front of the rubric chart along with the full guidelines on the back are used during i1 Assessments.

No. Because i1 Assessments do not include all control maturity levels and instead focus just on control implementation, control maturity ratings such as 1-, 3, and 5+ are not used on i1 Assessments. Instead, only scores between 0 and 100 are used on i1 Assessments.

While it may appear that HITRUST raised the bar for certifying an i1 Assessment relative to an r2 Assessment, i1 and r2 Assessments actually enforce a very similar certification threshold as shown in the following table. In an r2 Assessment, the highest achievable score when assessing through the Implemented level is a 75. In an i1 Assessment the highest score achievable when assessing through the implemented level is 100. So the certification “bar” is equal for all HITRUST assessment types.

For an i1 Validated Assessment to achieve certification, no assessment domain’s straight-average score can be below 83. By contrast, for an r2 Validated Assessment to earn an r2 Certification, no assessment domain’s straight-average score can be below 62.

Yes. The i1 allows for either a “carve-out method” or “inclusive method” for controls performed by separate parties (e.g., cloud service providers). The r2 Validated Assessment only allows the inclusive method.

You can take a few different routes in this scenario, depending on your MyCSF access level:

• The first option is to create a new i1 Validated Assessment object in MyCSF and then internally inherit the scoring, commentary, and linked documents present in your r2 Assessment into your i1 Assessment. Then, complete the remainder of the i1 Assessment as needed and when ready, submit the i1 Assessment object to HITRUST.
• A second option is to change your r2 Assessment object into an i1 Assessment object by modifying the pre-assessment configuration questions. After changing the object’s configuration from r2 to i1 and refreshing the assessment, it becomes an i1 Assessment object instead of an r2 Assessment object.
• A third option is to clone your r2 Assessment object, then perform the steps outlined in option 2 against the cloned object.

90 days fieldwork maximum, just like the r2.

No. For i1 Assessments, the incubation period for newly implemented and remediated controls is 90 days, the same as for the r2.

Yes. It’s just like on e1 or r2 Assessments.

Yes, if allowed at the assessed entity’s MyCSF subscription level.

Yes. Evidence supporting any control implementation scores greater than 0 must be either linked or uploaded in MyCSF.

Yes and Yes. However, note that only the implemented level’s scoring can be inherited when inheriting from an i1 Assessment into an r2 Assessment given that i1 Assessments only consider control implementation. This limitation does not absolve those involved in r2 Assessments from either (a) accurately scoring the policy, procedure, and optionally measured and managed levels based on inspection of supporting evidence, or (b) scoring the policy, procedure, and (optionally) measured and managed scores at 0.

While HITRUST anticipates that most organizations who publish their HITRUST assessments for external inheritance will use r2 Assessments instead of i1 Assessments, service providers such as CSPs do have the option to only perform i1 Assessments. In this case, their customers/tenants inheriting from them will be limited to inheriting only the implemented scoring and commentary from the i1 and no policy, procedure, measured, or managed scoring will be available for inheritance.

On i1 Assessments, HITRUST requires assessed entities to define Corrective Action Plans (CAPs) for all HITRUST CSF requirements meeting the following criteria: the requirement’s implemented maturity level scores less than “fully compliant” and the associated control reference (e.g., 00.a) averages less than 80. Any requirements where the implemented maturity level scores less than “fully compliant” and the associated control reference (e.g., 00.a) averages 80 or more, a gap is identified instead of a CAP.

Yes. It’s just like on r2 Validated Assessment submissions.

Yes. It’s just like on e1 or r2 Validated Assessment submissions, a QA reservation is required.

Yes and Yes. HITRUST performs a sample-based QA for i1 Validated Assessment submissions much in the same manner that we do for r2 Validated Assessment submissions. The notable difference is that HITRUST does not QA a sample of requirements with measured and/or managed scores on i1 submissions (as i1 Assessments do not include the measured and managed control maturity levels).

The time necessary to perform a quality assurance review of any validated assessment submission varies based on the complexity of the assessment, on the quality of the External Assessor documentation, the quality and consistency of the External Assessor’s validation procedures, and on many other factors. However, the established HITRUST i1 post-submission Service Level Agreement (SLA) is not greater than 45 business days with HITRUST (otherwise the customer’s next i1 Validated Assessment report credit is free).

This Service Level Agreement (SLA) is calculated using a measurement called “days with HITRUST”. The measurement is calculated from the earlier of the day that HITRUST begins QA (the day the assessment moves into the Performing QA phase), or the last day of the QA Block from the reservation. Days are counted for any business days where the assessment is in a HITRUST-owned phase before the draft report is posted. Validated Assessment submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions. The days with HITRUST measure are visible to customers as part of the assessment details page within MyCSF. Should HITRUST exceed the stated SLA, customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued.

Yes.

No. Just a HITRUST certification.

No, the MyCSF Compliance and Reporting Pack for HIPAA cannot be run against i1 Assessments. The MyCSF Compliance and Reporting Pack for HIPAA can be run against r2 Assessments.

i1 PDF deliverables (e.g., the i1 Validated Assessment Report) can be shared through the HITRUST Assessment XChange (“HAX”) just like r2 PDF deliverables. In addition, the HITRUST Results Distribution System (RDS) allows sharing i1 Assessment results through a web browser and/or API just like for e1 and r2 Assessment results.