i1 Rapid Recertification FAQs
Does an i1 Rapid Recertification require a MyCSF Subscription?
Yes. The Assessed Entity must be in a full MyCSF subscription to perform the i1 Rapid Recertification. Assessed Entities who used a Lite Bundle, must upgrade to at least a Professional subscription to perform an i1 Rapid Recertification.
How long is the i1 Rapid Recertification fieldwork period?
Can I use the i1 Rapid Recertification Assessment if my previous i1 Certification has already expired?
No, the External Assessor 90-day fieldwork period must be completed by the expiration date of the previous i1 Certification, so that the Management Representation Letter may be dated such that there is no gap between the expiration of the previous certification date and the date on the Management Representation Letter. The i1 Rapid Recertification Assessment must be submitted to HITRUST within 30 days following the expiration of the previous i1 Certification.
I want to add a new system to the scope of my assessment that was not included in scope during my previous i1 Assessment. Can I use the i1 Rapid Recertification Assessment?
No, the i1 Rapid Recertification must use the same scope as the previous i1 assessment. To assess a different scope, a full i1 assessment must be completed.
My current i1 assessment was performed using CSF v9.6.2. Can I use the i1 Rapid Recertification Assessment for my next certification?
No, the i1 Rapid Recertification may only be used after completing a full i1 Assessment using v11.
Does the i1 Rapid Recertification extend my i1 Certification from 1 year to 2 years in length?
No. The i1 Rapid Recertification does not extend the previous i1 Certification, but instead provides a new i1 Certification that is valid for 1 year. The new i1 Certification begins on the date of the Management Representation Letter for the i1 Rapid Recertification Assessment.
Do I need to score all N/A requirements in the i1 Rapid Recertification?
All requirement statements that were marked as N/A in the full i1 Assessment will be included in the i1 Rapid Recertification with the N/A rationale rolled forward from the full i1 Assessment. During the performance of the i1 Rapid Recertification, the Assessed Entity must review the rationale for each N/A requirement statement to confirm that it is still appropriate or update it if necessary.
Does the i1 Rapid Recertification use the same CSF version as the previous i1 Assessment?
The i1 Rapid Recertification Assessment will use the most recent CSF version at the time that the i1 Rapid Recertification is created. This will likely not be the same CSF version that was used for the previous i1 Assessment.
What is the output of the i1 Rapid Recertification Assessment?
If the average domain scores meet the threshold for i1 Certification, the i1 Rapid Recertification results in an i1 Certification and the same full i1 Certification report and i1 Certification letters that are issued when a full i1 Assessment is performed. If the average domain scores do not meet the threshold for i1 Certification, the i1 Rapid Recertification results in a full i1 Validated Assessment report.
Will my final report indicate that an i1 Rapid Recertification was performed instead of a full i1 Assessment?
No, the final report will not indicate that an i1 Rapid Recertification was performed.
How is the sample of 60 requirement statements selected?
The sample of requirement statements that are required to be assessed are randomly selected by MyCSF.
Are the scores that are rolled forward from the previous i1 Assessment considered when identifying CAPs in the i1 Rapid Recertification?
Yes, the scores that have been carried over will be used to determine the control reference average scores that are used to identify CAPs. Note: When CAP requirement statements are included, they are counted as part of the 60 random requirements and are not added to the 60.
Does the Assessed Entity have the option to reassess controls that are not required to be tested within the i1 Rapid Recertification assessment?
If the Assessed Entity would like to show improvement on a requirement statement that is not already required to be assessed in the i1 Rapid Recertification, the Assessed Entity may optionally include any of these requirement statements by toggling the requirement statement in MyCSF from read-only to an editable state.
What is the meaning of control degradation?
Control degradation is present when a control is no longer operating at the level that it was during the performance of the previous i1 Assessment. While some degree of control fluctuation is allowed between the performance of the full i1 Assessment and the i1 Rapid Recertification, the presence of material control degradation disqualifies the Assessed Entity from performing an i1 Rapid Recertification.
Note that not every score that is lowered in the i1 Rapid Recertification is considered control degradation. Scores lowered due to an error in the External Assessor’s testing approach or testing documentation are not considered control degradation as they do not represent issues in the operation of the control.
If I must expand the sample of requirement statements tested in the i1 Rapid Recertification due to scores lowered during QA, will I need to change the date on the Management Representation Letter?
No, the Management Representation Letter date does not need to be updated if the sample of requirement statements is expanded after the assessment has begun QA. However, if it is necessary to convert the i1 Rapid Recertification to a full i1 Assessment at any time, the Management Representation Letter must be redated upon the completion of testing for the full i1 Assessment.
How long is QA expected to take for the i1 Rapid Recertification once HITRUST accepts the submission and begins review?
The Service Level Agreement (SLA) for completion is the same as an i1, which is not greater than 45 business days with HITRUST.
Where can I learn more about the i1 Rapid Recertification?