HITRUST Assessments banner image

HITRUST Brings Rely-Ability™ and Efficiency to All Levels of Information Assurance

HITRUST assessments provide organizations with a proven and consistent means to evaluate and communicate their information security, privacy, and compliance program maturity with internal and external stakeholders. The HITRUST Assessment Portfolio meets a full range of needs with higher reliability by offering assurances at all levels.

Each HITRUST assessment helps organizations evaluate and understand the effectiveness of their own and their vendors’ cyber preparedness and resilience.

Mapping Risk to Level of Assurance Using the Patent Pending HITRUST Methodology

Third-party assurances have the power to radically improve organizational confidence in vendor security while also improving the overall efficiency of the third-party risk management process.

By accurately mapping a vendor’s inherent risk to the appropriate level of assurance, organizations and their third parties can access the enormous benefits of third-party assurances while optimizing and balancing the complex relationship between risks, resources, and time.

Enter the HITRUST Risk Triage Approach

The HITRUST Risk Triage approach begins with a careful evaluation to compute a vendor’s level of inherent risk. Once inherent risk is determined, the next step is mapping to the right level of assurance needed.

Organizations can then progress to assign specific assurance requirements on a vendor-by-vendor basis.

HITRUST Assessment Options Meet Every Level of Assurance

Organizations are seeking a broader range of assessments that appropriately balance the requirements of effort, time, and resources while still providing a level of reliability commensurate with risk. To meet organizational and vendor needs needs for varying assurances, HITRUST offers a full range of assessment options.Image comparing new assessment types according to level of assurance and effort

  • HITRUST Basic, Current-state (bC) Assessment*. The bC is a “good hygiene” self-assessment that offers higher reliability than other self-assessments and questionnaires by utilizing the HITRUST Assurance Intelligence Engine (AI Engine) to identify errors and omissions. *Will be replaced with a Cyber Essentials, 1-year (e1) Validated Assessment in January 2023
    Learn more about the HITRUST bC Assessment.
  • HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification. The i1 is a “best practices” assessment recommended for situations that present moderate risk. The i1 is a new-class of information security assessment that is threat-adaptive with a control set that evolves over time to deliver continuous cyber relevance. The i1 is designed to keep pace with the latest cyberattack threats, including ransomware and phishing. HITRUST i1 Readiness Assessment available.
    Learn more about the HITRUST i1 Assessment and Certification.
  • HITRUST Risk-based, 2-Year (r2) Validated Assessment + Certification. Formerly named the HITRUST CSF Validated Assessment, the r2 remains the industry gold standard as a risk-based and tailorable assessment that continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. HITRUST r2 Readiness, Interim, and Bridge Assessments available.
    Learn more about the HITRUST r2 Assessment and Certification.

Which Assessment is Right for Me?

HITRUST Basic,
Current-state Assessment (bC)*
HITRUST Implemented,
1-year (i1) Validated Assessment
HITRUST Risk-based,
2-year (r2) Validated Assessment
Description Verified Self-Assessment Validated Assessment + Certification Validated Assessment +
Risk-Based Certification
Purpose (Use Case) Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements A threat-adaptive assessment focused on best security practices with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements
Number of Control Requirement Statements 71 219 Pre-Set Controls that leverage security best practices and threat intelligence 2000+ based on Tailoring
(360 average in scope of assessments)
Flexibility of Control Selection Custom Build from Library No Tailoring Tailoring
Evaluation Approach 1×3: Control Implementation 1×5: Control Implementation 3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels
Targeted Coverage* NISTIR 7621: Small Business Information Security Fundamentals NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, Health Industry Cybersecurity Practices (HICP) NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and nearly 40 others
Level of Assurance** Low Moderate High
Relative Level of Effort 0.5 1.0 5.0
Certifiable Assessment No Yes, 1 Year Yes, 2 Year
Additional Assessments None Readiness Readiness, Interim, Bridge
Control Carve-Outs
(Control Requirements Performed by Subservice Providers)
Allows Carve-Outs or Inclusion Allows Carve-Outs or Inclusion Included
Shares Assurances Using the HITRUST Results Distribution System (RDS) Yes Yes Yes
Leverages HITRUST Assurance Intelligence Engine to Prevent Omissions, Errors, or Fraud Yes Yes Yes

*Will be replaced with a Cyber Essentials, 1-year (e1) Validated Assessment in January 2023
 

Actionable Methodology for Risk Qualification

By consistently applying the well-defined HITRUST TPRM Qualification Process, organizations can efficiently qualify (or requalify) third parties by obtaining assurances that are appropriate to the information security, privacy, and compliance risk they pose. In the example below, the calculated Inherent Risk Score identifies the specific HITRUST Assessment needed.

For more information on how to determine inherent risk and select assessments, download your No-Cost HITRUST QUICK-START GUIDE for Managing Vendor Information Risk.

Each HITRUST Assessment is Part of the Industry-Leading HITRUST Approach

End-to-end solutions ensure transparency, accuracy, consistency, and integrity across the HITRUST Assessment Portfolio and make it easier for assessed entities to transition to higher levels of assurance as their programs mature.

HITRUST CSF. Comprehensive, prescriptive information risk management framework harmonizes more than 40 standards and authoritative sources.

HITRUST MyCSF. Best-in-class SaaS platform interfaces with the CSF framework to scope and perform comprehensive and accurate information risk assessments, streamline remediation activities, and report and track compliance.

HITRUST Assurance Program. Uses proven methodologies, rigorous Quality Assurance processes, and innovative tools and technologies to deliver results that are reliable, accurate, transparent, and consistent.

HITRUST Results Distribution System (RDS). Allows relying parties to view third-party assessment results through a highly secure web portal or API making it easier to find and view the information needed to make better-informed decisions faster.

Inheritance. Reduces time, effort, and cost by inheriting control scoring, assessment information, and results from previously completed HITRUST Assessments.

HITRUST Assurance Intelligence Engine (AIE). Adds efficiency to the quality review process with a layer of automated checks that analyze assessment documentation for oversights, inconsistencies, and errors.

FOR CURRENT PRICING OR MORE INFORMATION: Contact your HITRUST Product Specialist
Call: 855-448-7878 or Email: sales@hitrustalliance.net

*Targeted Coverage means substantial coverage is intended
** A particular level of assurance (e.g., low, medium/moderate, or high) is generally characterized by the relative level of suitability, impartiality, and rigor in the approach used to specify, assess, and report on the effectiveness of information security and privacy controls and the risks they are intended to manage.

Download the HITRUST Assessment Portfolio Overview Brochure

View Relevant Resources

Chat Now

This is where you can start a live chat with a member of our team