HITRUST Brings Rely-Ability™ and Efficiency to All Levels of Information Assurance
Enhanced HITRUST CSF framework improves functionality and efficiency across the entire HITRUST Assessment Portfolio
HITRUST continuously reviews and improves the HITRUST CSF® framework. CSF® Version 11 makes cybersecurity control assessments more efficient and effective by adding numerous enhancements that increase threat protection, add program flexibility, and reduce the ongoing effort for security assurances.

Top Reasons the HITRUST CSF v.11 Enhances and Redefines the HITRUST Assessment Portfolio
- New entry-level Essentials (e1) Assessment + Certification focuses on the most essential and foundational cybersecurity controls.
- The e1 provides an excellent starting point for enterprises early in their program maturity, or as the final assurance destination for low-risk organizations.
- Unique assessment portfolio design supports an efficient path to program maturity by sharing common controls that build on each other to simplify the journey toward stronger security capabilities and assurances.
- Inheritance of control scoring and evaluation investments from previous HITRUST assessments make the assessment process faster and easier to perform.
- Each assessment strikes the right balance of time and effort to achieve the appropriate level of HITRUST assurance.
Which Assessment is Right for Me?
(New) HITRUST Essentials, 1-Year (e1) Assessment Foundational Cybersecurity |
HITRUST Implemented, 1-year (i1) Assessment Leading Practices |
HITRUST Risk-based, 2-year (r2) Assessment Expanded Practices |
|
---|---|---|---|
Description | Validated Assessment + Certification | Validated Assessment + Certification | Validated Assessment + Certification |
Purpose (Use Case) | Provides entry-level assurance focused on the most critical cybersecurity controls and demonstrates that essential cybersecurity hygiene is in place | Provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 assessment | A high level of assurance that focuses on a comprehensive risk-based specification of controls with an expanded approach to risk management and compliance evaluation |
Certifiable Assessment | Yes, 1 Year | Yes, 1 Year + Rapid Recertification in Year 2 | Yes, 2 Years |
Number of HITRUST CSF Requirements on a 2-Year Basis and Maturity Levels Considered |
44 (Year 1), 44 (Year 2) Implemented |
182 (Year 1), ~60 (Year 2 with Rapid Recertification) Implemented |
~375 Avg. (Year 1), ~40 (Year 2 Interim Assessment) Policy, Procedure, and Implemented |
Policy and Procedure Consideration |
Minimal | Minimal | Thorough |
Level of Security Assurance |
Low | Moderate | High |
Level of Assurance** | Low | Moderate | High |
Flexibility of Control Selection |
No Tailoring | No Tailoring | Tailoring |
Evaluation Approach | 1×5: Implementation control maturity level | 1×5: Implementation control maturity level | 3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels |
Leverages Cyber threat Intelligence to provide a threat-adaptive assessment |
Yes | Yes | Yes |
Provides Targeted Coverage for one or more authoritative sources |
No | No | Yes, if selected |
Alignment with Authoritative Sources |
CISA Cyber Essentials, Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations, NIST 171’s Basic Requirements, NIST IR 7621 | NIST SP 800-171 (Basic and Derived Requirements), HIPAA Security Rule, and HICP for Medium-Sized Organizations | NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, PCI DSS, GDPR, and Dozens of Others |
Supporting Assessments | Readiness | Readiness, Rapid Recertification | Readiness, Interim, Bridge |
Leverages HITRUST RDS to Share Results |
Yes | Yes | Yes |
Leverages AI Engine to Prevent Omissions and Errors |
Yes | Yes | Yes |
Learn More
HITRUST Essentials, 1-year (e1) Assessment
HITRUST Implemented, 1-year (i1) Assessment
HITRUST Risk-based, 2-year (r2) Assessment
Not only do HITRUST assessments deliver the assurances your organization needs, but they also provide flexible options for managing third-party risk by requesting vendors to reach a targeted assurance level in progressive steps.
FOR CURRENT PRICING OR MORE INFORMATION: Contact your HITRUST Product Specialist
Call: 855-448-7878 or Email: sales@hitrustalliance.net
Learn more about using HITRUST Assessment for Third-Party Risk Management (TPRM)