Think about the last time you went to a restaurant—what did you order? Was it your usual, or did you see a new addition to the menu that intrigued you so much you pulled the trigger and tried it?
It’s always nice to have options to satisfy certain cravings and needs—that goes for compliance, as well as food. Within the space, there are lots of different options and standards organizations can choose to demonstrate their cybersecurity posture, HITRUST CSF among them. Since its introduction, the HITRUST CSF has become an industry-agnostic information risk management and regulatory compliance framework that meets the needs of a wide range of organizations.
As part of that, HITRUST is offering an alternative to its long-standing Risk-Based, 2-year (r2) Certification—in late 2021, HITRUST introduced the Implemented 1-year (i1) Assessment as another high-quality, highly valuable certification option.
As experienced, long-time HITRUST external assessors, we’ve been working with organizations since the debut of the i1, and now, we want to extend some insight to those that may be considering it as the right for their organization.
In this article, we’ll provide an overview and some benefits of the i1 Certification option, as well as a basic comparison to the r2 so that you can be more comfortable in any decision you make in choosing the best HITRUST Assessment option for your environment.
HITRUST i1 Overview
So why did the i1 come about in the first place?
While the r2 Validated Assessment provides the highest level of assurance HITRUST, the challenge is that not all organizations require that highest level of assurance for the services they provide. Before the introduction of the i1, these organizations deemed lower risk by their interested parties didn’t have another choice when undergoing a HITRUST Validated Assessment—a process that required substantial resources for the highest level r2.
To provide a balance of options based on need, the i1 was developed—it provides a more moderate level of assurance than the r2 and is ideal for organizations that wish to focus on good security hygiene and cybersecurity best practices controls.
Since its initial introduction, HITRUST has molded and developed the i1 Certification based on feedback from both assessors and assessed entities to offer a valuable and comprehensive certification that addresses the level at which your cybersecurity program meets industry-best practices. At this point, here’s what you need to know:
- The HITRUST i1 certification assessment will evaluate your controls against 182 requirements, across the same 19 domain areas, that HITRUST has identified as crucial to navigating modern cybersecurity standards.
- Among these key controls are some selected from the NIST SP 800-171 security controls framework as well as elements of the HIPAA Security Rule.
- The selection and amount of controls for the i1 Certification are preset and the same for all organizations, no matter the size or industry of the entity being assessed.
- ONLY your control implementation will be evaluated.
- HITRUST reviews its set of i1 requirements quarterly to confirm that they reflect the most up-to-date cybersecurity standards, including the latest mitigations for ransomware and phishing. As such, the I1 is cyber threat-adaptive to remain current even as the threat landscape evolves.
- Though it can also be used as a readiness assessment before moving onto the i1 (or r2) Certification, the HITRUST i1 is certifiable in its own right, though you’ll need an external assessor firm to complete the necessary Validated Assessment.
- The HITRUST i1 Certification is good for one year only, at which point you will need to recertify.
Benefits and Potential Use Cases for the HITRUST i1 Certification
So then, what makes this new HITRUST i1 offering right for you?
- It provides assurance to your customers as well as a good internal benchmark of your cybersecurity practices. For those organizations that face moderate risk or just need a general assessment of their risk profile, the i1 can fulfill those needs while using a trusted framework.
- It takes less time and effort to perform than the r2. If you’re a smaller operation or at the mercy of budget constraints, this could make for a more attractive option to demonstrate your cybersecurity efforts.
- Make no mistake though—it may be an abbreviated version of the r2, but the evaluation process of i1 is still incredibly rigorous.
- The i1 also makes an excellent stepping stone to a future r2 Assessment.
- It could help with your cybersecurity insurance. Achieving i1 Certification can demonstrate to your insurers that you’re performing robust due diligence, potentially leading to lower premiums or additional coverage with little to no increase in premiums.
- If not for you, it could help you evaluate vendors. Supply chain information security issues have become rife, so to help reduce that risk, you could encourage your third-party providers to engage in an i1 Certification, and you and you can use the reports for added confidence that their cybersecurity programs are strong.
HITRUST i1 vs. r2
As with any newer option, it always helps to see how it stacks up against the familiar. Let’s take a high-level look at some of the key similarities and differences between the i1 and r2 Certifications:
Both |
Criteria |
i1 |
r2 |
Offer a Validated HITRUST Certification Utilize MyCSF Offer both Readiness and Validated Assessment options Offer the HITRUST gold standard of information security assurance Require an external assessor Cyber threat-adaptive |
How Long is it Valid? |
1 year |
2 years |
Level of Assurance Provided |
Medium |
High |
|
What Kind of Controls? |
Static |
Variable, tailored based on your organizational factors |
|
Items Scored |
Only control implementation |
Control implementation, policy and procedures, self-assessment, and management |
|
Avenue to Other Standards? |
n/a |
Can also result in a NIST certification |
Moving Forward with HITRUST i1 Certification
The more streamlined approach of the i1 Assessment and Certification could be the right move for your organization, and now that you understand a little more about it, you’re in a better position to decide.
To continue learning more about HITRUST and its intricacies, check out our other content regarding this compliance framework, including details on recent developments and specific questions:
- HITRUST CSF v11: An Overview of the Update
- HITRUST - What Does 'The Number of Records Held' Mean?
- HITRUST: The Effect of TEFCA
If you find that you have more specific questions, or you’re interested in learning more about Schellman and our capabilities as a HITRUST external assessor, please contact us as our team is ready to address any concerns and answer all the questions you may have.
About Kevin Keane
Kevin Keane is a Senior Associate with Schellman. Prior to joining the firm in 2020, Kevin worked as a Senior Technology Risk Professional and gained significant experience in many areas of IT audit such as SOX IT Controls, System Implementations, Automated Controls, and SOC Report Evaluations. As a Senior Associate at Schellman, Kevin primarily focuses on HITRUST audits for various healthcare organizations.