What is the HITRUST CSF?

The HITRUST CSF is an internationally recognized, comprehensive, and scalable risk management framework that is meant to assist organizations with maintaining an efficient approach to compliance, and protect against emerging cybersecurity and privacy threats.

The HITRUST CSF leverages the standards from authoritative sources (e.g., HIPAA, GDPR, PCI-DSS, NIST 800-53, NIST 800-171, and dozens more), so organizations can customize their risk management approach based on the risk and regulatory factors relevant to their organization.

The HITRUST Assurance Program utilizes the CSF and requires organizations to perform assessments using a HITRUST Authorized External Assessor such as 360 Advanced.

A PRISMA-based maturity model is used within the CSF assessments to quantify areas of risk, and ultimately determine if an organization meets the bar for certification for the type of assessment (e1, i1, or r2) that is performed.

Compliance doesn’t have to be complicated.  

An experienced authorized assessor at 360 Advanced provides the guidance you need to achieve and maintain certification. We use our extensive experience to walk you through the certification process—from scoping and interviews to technical testing and validation.

360 Advanced helps you navigate HITRUST assessments to get the report(s) you need to satisfy stakeholder and regulator inquiries. Getting a HITRUST Certification can put you on the fast-track to answer client questions about your information security programs, earn new business, show compliance, and even provide added assurances for cyber insurers.


Our HITRUST CSF Services    

As a HITRUST CSF assessor, 360 Advanced has been approved to perform assessment services associated with the CSF Assurance Program.

The Readiness Assessment is designed as an introduction to the CSF for the associated assessment type your organization is preparing for and is the springboard to a validated assessment. In addition to familiarizing your organization with the HITRUST approach, 360 Advanced also helps to identify gaps and a path forward to a successful validated assessment.

Released in January 2023, the e1 focuses on the most critical cybersecurity threats and demonstrates that an organization practices essential cybersecurity hygiene. The e1 caters to low-risk enterprises that have a need to demonstrate they have foundational cybersecurity practices in place. The e1 assessment aligns with the following authoritative sources:

  • CISA Cyber Essentials
  • Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations
  • NIST 800-171 (Basic Requirements)
  • NIST IR 7621

Successful completion of the e1 assessment by an Authorized External Assessor Organization results in a one-year certification.

The i1 focuses on leading security practices for organizations with robust information security programs ready to demonstrate controls that protect against current and emerging threats.

The i1 assessment aligns with the following authoritative sources:

  • HIPAA Security Rule
  • GLBA Safeguards Rule
  • S Dept. of Labor EBSA Cybersecurity Program Best Practices
  • Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations
  • NIST 800-171

Successful completion of the i1 assessment by an Authorized External Assessor Organization such as 360 Advanced results in a one-year certification.

Rapid Recertification for i1 Assessments

Starting with the release of version 11 of the CSF, the i1 rapid recertification assessment allows for a more streamlined approach to achieving i1 certification in an organization’s subsequent certification year by only requiring the Authorized External Assessor Organization to assess a subset of i1 requirements.

For an organization to be eligible to perform an i1 rapid recertification, it must be able to demonstrate that the control environment has not materially changed or degraded since completion of the previous i1 assessment, and the original assessment has to have been performed using v11 of the CSF or later.

The r2 validated assessment is a comprehensive assessment that is tailored to an organization’s inherent risk factors. The r2 assessment is a much more rigorous assessment compared to the e1 and i1 assessments and is suitable for organizations that have a requirement to demonstrate high assurance requirements.

Unlike the e1 and i1, which only require organizations to demonstrate that the requirements are implemented, the r2 assessment requires organizations to demonstrate that the requirements are implemented, and that policies and procedures are in place as well and—optionally—that they are being measured and managed.

Organizations have the option to add nearly 40 authoritative sources to their assessment to demonstrate compliance with multiple standards or regulations within one assessment.

The HITRUST r2 certification is valid for a period of two years, and an interim assessment is required in the second year.

For an organization to maintain their r2 HITRUST CSF Certification, an interim assessment must be conducted by an Authorized External Assessor Organization on the second year. It must be submitted to HITRUST within the 90-day window leading up to the one-year anniversary of the certification issuance date. The assessment consists of the following:

  • Testing of one requirement within each of the 19 assessment domains
  • Review of any requirements that were marked “not applicable” during the original assessment to ensure their status remains the same.
  • Review of any Corrective Action Plans that were identified during the original assessment and ensure the organization has either remediated or made reasonable progress towards remediation.

Download A SaaS Provider’s Journey to HITRUST Certification Case Study

See what our clients are saying about us.

You deserve a conversation, not a questionnaire.

We build long-term relationships through trust and value. If you’re looking for a trusted business advisor to build your holistic compliance strategy, let’s chat!