HITRUST Assessments banner image

HITRUST Brings Rely-Ability™ and Efficiency to All Levels of Information Assurance

Enhanced HITRUST CSF framework improves functionality and efficiency across the entire HITRUST Assessment Portfolio

HITRUST continuously reviews and improves the HITRUST CSF® framework. CSF® Version 11 makes cybersecurity control assessments more efficient and effective by adding numerous enhancements that increase threat protection, add program flexibility, and reduce the ongoing effort for security assurances.

Top Reasons the HITRUST CSF v.11 Enhances and Redefines the HITRUST Assessment Portfolio

  • New entry-level Essentials (e1) Assessment + Certification focuses on the most essential and foundational cybersecurity controls.
  • The e1 provides an excellent starting point for enterprises early in their program maturity, or as the final assurance destination for low-risk organizations.
  • Unique assessment portfolio design supports an efficient path to program maturity by sharing common controls that build on each other to simplify the journey toward stronger security capabilities and assurances.
  • Inheritance of control scoring and evaluation investments from previous HITRUST assessments make the assessment process faster and easier to perform.
  • Each assessment strikes the right balance of time and effort to achieve the appropriate level of HITRUST assurance.

Which Assessment is Right for Me?

(New) HITRUST Essentials, 1-Year (e1) Assessment
Foundational Cybersecurity 
HITRUST Implemented,
1-year (i1) Assessment
Leading Practices
HITRUST Risk-based,
2-year (r2) Assessment
Expanded Practices
Description Validated Assessment + Certification Validated Assessment + Certification Validated Assessment + Certification
Purpose (Use Case) Provides entry-level assurance focused on the most critical cybersecurity controls and demonstrates that essential cybersecurity hygiene is in place Provides a  moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 assessment  A high level of assurance that focuses on a comprehensive risk-based specification of controls with an expanded approach to risk management and compliance evaluation
Certifiable Assessment Yes, 1 Year Yes, 1 Year  + Rapid Recertification in Year 2 Yes, 2 Years
Number of HITRUST CSF Requirements on a 2-Year Basis and  Maturity Levels Considered 
44 (Year 1), 44 (Year 2)
182 (Year 1), ~60 (Year 2 with Rapid Recertification)
~375 Avg. (Year 1), ~40 (Year 2 Interim Assessment)  
Policy, Procedure, and Implemented
Policy and Procedure Consideration
Minimal Minimal Thorough
Level of Security Assurance
Low Moderate High
Level of Assurance** Low Moderate High
Flexibility of Control Selection
No Tailoring No Tailoring Tailoring
Evaluation Approach 1×5: Implementation control maturity level 1×5: Implementation control maturity level 3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels
Leverages Cyber threat Intelligence to provide a threat-adaptive assessment
Yes Yes Yes
Provides Targeted Coverage for one or more authoritative sources
No No Yes, if selected
Alignment with Authoritative Sources
CISA Cyber Essentials, Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations, NIST 171’s Basic Requirements,  NIST IR 7621 NIST SP 800-171 (Basic and Derived Requirements), HIPAA Security Rule, and HICP for Medium-Sized Organizations NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, PCI DSS, GDPR, and Dozens of Others
Supporting Assessments Readiness Readiness, Rapid Recertification Readiness, Interim, Bridge
Leverages HITRUST RDS to Share Results
Yes Yes Yes
Leverages AI Engine to Prevent Omissions and Errors
Yes Yes Yes


Learn More

HITRUST Essentials, 1-year (e1) Assessment
HITRUST Implemented, 1-year (i1) Assessment
HITRUST Risk-based, 2-year (r2) Assessment

Not only do HITRUST assessments deliver the assurances your organization needs, but they also provide flexible options for managing third-party risk by requesting vendors to reach a targeted assurance level in progressive steps.

Call: 855-448-7878 or Email: sales@hitrustalliance.net

Learn more about using HITRUST Assessment for Third-Party Risk Management (TPRM)

View Relevant Resources

Chat Now

This is where you can start a live chat with a member of our team