HITRUST Brings Rely-Ability™ and Efficiency to All Levels of Information Assurance

All HITRUST assessments leverage a single methodology, framework, assessment platform, and the HITRUST Results Distribution System (RDS) to deliver the best information protection assurances needed for full Rely-Ability and efficiency. This proven approach ensures transparency, accuracy, consistency, and integrity across the HITRUST assessment portfolio and makes it easier for assessed entities to transition to higher levels of assurance as their program matures. Each HITRUST assessment helps organizations evaluate and understand the effectiveness of their cyber preparedness and resilience.

HITRUST assessments provide organizations with a means to assess and communicate their current state of information security and compliance with internal and external stakeholders along with Corrective Action Plans (CAPs) to address any identified deficiencies. Now, the HITRUST Assessment Portfolio meets market needs with higher reliability by offering assurances at all levels – including low, moderate, and high.

HITRUST Approach to Information Risk Management and Compliance

Best-in-class, integrated solutions that align to provide world-class information protection assurances.

HITRUST CSF Framework. All assessments are scoped and built using our risk-based security and privacy controls framework, which maps to more than 40 authoritative sources and is regularly updated. Learn more.

HITRUST MyCSF SaaS Platform. Interfaces with the CSF information risk management framework to scope and perform comprehensive and accurate information risk assessments, streamline remediation activities, and report and track compliance. Learn more.

HITRUST Assurance Program. Providing prescriptive methodologies and granular oversight, the HITRUST Assurance Program ensures the consistency and quality of all HITRUST Assessments. Learn more.

Results Distribution System (RDS) for All HITRUST Assessments. The RDS allows for assessed entities to share assessment results through a highly secure web portal or API so that relying parties can more easily find and view the information they need to make better-informed decisions faster. Learn more.

Authorized External Assessor Program. HITRUST trains and certifies a broad network of Authorized External Assessor organizations, ensuring that your organization can be confident partnering with any of our trusted assessment professionals, who offer everything from consulting services to third-party validation. Learn more.

Assessment Options to Meet Every Level of Assurance

Image comparing new assessment types according to level of assurance and effort
There are many situations where a moderate or low level of assurance is warranted. That’s why organizations are seeking a broader range of assessment options that require less effort and time to perform while still providing a level of reliability that is commensurate with moderate and lower risk scenarios. To meet market needs for varying levels of assurance, HITRUST is adding two new assessment offerings. While the HITRUST Risk-based, 2-Year (r2) Validated Assessment – formerly named the HITRUST CSF Validated Assessment – will continue to provide the highest level of information protection assurance, with two new additions, the HITRUST assessment portfolio now includes:

  • HITRUST Basic, Current-state (bC) Assessment. The bC is a “good hygiene” self-assessment that offers higher reliability than other self-assessments and questionnaires by utilizing the HITRUST Assurance Intelligence Engine (AI Engine) to identify errors and omissions.
    Learn more about the HITRUST bC Assessment.
  • HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification. The i1 is a “best practices” assessment recommended for situations that present moderate risk. The i1 is a new-class of information security assessment that is threat-adaptive with a control set that evolves over time to deliver continuous cyber relevance. The i1 is designed to keep pace with the latest cyberattack threats, including ransomware and phishing. HITRUST i1 Readiness Assessment available.
    Learn more about the HITRUST i1 Assessment and Certification.
  • HITRUST Risk-based, 2-Year (r2) Validated Assessment + Certification. Formerly named the HITRUST CSF Validated Assessment, the r2 remains the industry gold standard as a risk-based and tailorable assessment that continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. HITRUST r2 Readiness, Interim, and Bridge Assessments available.
    Learn more about the HITRUST r2 Assessment and Certification.


Which Assessment is Right for Me?

Current-state Assessment (bC)
HITRUST Implemented,
1-year (i1) Validated Assessment
HITRUST Risk-based,
2-year (r2) Validated Assessment
(Former Name: HITRUST CSF Validated Assessment)
Description Verified Self-Assessment Validated Assessment + Certification Validated Assessment +
Risk-Based Certification
Purpose (Use Case) Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements A threat-adaptive assessment focused on best security practices with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements
Number of Control Requirement Statements 71 219 Pre-Set Controls that leverage security best practices and threat intelligence 2000+ based on Tailoring
(360 average in scope of assessments)
Flexibility of Control Selection Custom Build from Library No Tailoring Tailoring
Evaluation Approach 1×3: Control Implementation 1×5: Control Implementation 3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels
Targeted Coverage* NISTIR 7621: Small Business Information Security Fundamentals NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, Health Industry Cybersecurity Practices (HICP) NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and nearly 40 others
Level of Assurance** Low Moderate High
Relative Level of Effort 0.5 1.0 5.0
Certifiable Assessment No Yes, 1 Year Yes, 2 Year
Additional Assessments None Readiness Readiness, Interim, Bridge
4th-Party-Performed Controls
(Control Requirements Performed by Subservice Providers)
Allows Carve-Outs or Inclusion Allows Carve-Outs or Inclusion Included
Shares Assurances Using the HITRUST Results Distribution System (RDS) Yes Yes Yes
Leverages HITRUST Assurance Intelligence Engine to Prevent Omissions, Errors, or Fraud Yes Yes Yes

Call: 855-448-7878 or Email: sales@hitrustalliance.net

*Targeted Coverage means substantial coverage is intended
** A particular level of assurance (e.g., low, medium/moderate, or high) is generally characterized by the relative level of suitability, impartiality, and rigor in the approach used to specify, assess, and report on the effectiveness of information security and privacy controls and the risks they are intended to manage.

Download the HITRUST Assessment Portfolio Overview Brochure

View Relevant Resources


Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. For eligible organizations, the HITRUST CSF is available to download free of charge.


Chat Now

This is where you can start a live chat with a member of our team