Articles & Blogs

HITRUST® introduces the leaner version of the Validated HITRUST Assessment – The Implemented, 1-Year (i1) Validated Assessment + Certification

April 22, 2022 | By Accorian

This release is specifically designed to address the need for emerging cyber threats.

HITRUST, recently, announced the implementation of a new annual Assessment + Certification, the i1. This release is specifically designed to address the need for a continuously relevant cybersecurity assessment that leverages the latest threat intelligence, to maintain information security risks and emerging cyber threats, such as ransomware and phishing.

The original HITRUST Validated Assessment, now dubbed the r2, has been highly touted as the “Gold Standard” for information security assurances. The HITRUST Risk-based, 2-Year r2 Validated Assessment + Certification uses the HITRUST CSF® cybersecurity framework to unify and harmonize controls from many regulatory and industry frameworks, including HIPAA, GDPR, and PCI-DSS. The HITRUST CSF often considered as a sort of “one framework to rule them all”, and organizations that implement a properly scoped HITRUST r2 Assessment can include more than 40 authoritative sources to conform to a variety of cybersecurity regulations and standards. The HITRUST a 2-year risk-based and tailorable assessment, which continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.

The new HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification is the first information security assessment of its kind with attributes that are not available through other assurance programs. The design and selection of the controls puts it in a new class of information security assessment that is threat adaptive and is designed to maintain relevance over time as threats evolve and new risks emerge while, retiring controls no longer deemed relevant.

The HITRUST i1 Assessment is:

  • Designed to maintain relevant control requirements to mitigate existing and emerging threats providing updates as new threats are identified. It is threat-adaptive, prescriptive, and focused on controls relevant to risk.
  • Designed to sunset controls that have lost relevance and have limited assurance value based on the effort required to comply or assess.
  • Designed to deliver a higher level of reliability over other moderate assurance options because of its unique controls selection and assurance program design.

The HITRUSTi1 Validated Assessment + Certification is a “best practices” assessment that consists of 219 pre-selected controls. It was designed around relevant information security risks and emerging cyber threats and provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP). Although the HITRUST i1 is a leaner version of the r2, the evaluation process is still incredibly rigorous and provides the same credibility associated with the original HITRUST Assessment. To better understand the breadth of the r2 assessment in comparison to the i1, let’s look at the five maturity levels tested in an r2 assessment:

  • Policy– Detail management’s requirements for the organization and in=scope systems
  • Procedures– Document the organization’s methods for implementing policies
  • Implemented– Demonstrate how the organization implemented policies and procedures
  • Measured– Demonstrate how the organization evaluates its program
  • Managed– Demonstrate how the organization continuously manages risk

While some organizations may feel that the i1 does not provide the same level of assurance as the r2, There are many benefits to be gained with the i1 given its threat adaptive approach paired with an annual assessment cycle. The HITRUST i1 concentrates solely on the implemented PRISMA maturity level, thus limiting the scope of assessment and helping reduce the preparation required. The i1 takes into account specific “Evaluative Elements” designed to confirm the full implementation of each control and allows an organization to be scored solely on the level of their implementation.

i1 assessments can also be used as either a readiness assessment (identification and remediation report) or a validated assessment (requirements check and official certification). It’s recommended that every organization start with a readiness assessment to get a detailed report on your organization’s cybersecurity posture and remediation requirements before performing a Validated i1 Assessment. This is important in finding vulnerabilities within your organization as it allows you to complete any recommended remediations before the HITRUST Q&A team conducts the validated assessment.

Accorian is a full-service security service provider organization with many years of experience providing data security compliance, information security program implementation, and testing services. As an authorized HITRUST CSF Assessor, Accorian has Certified HITRUST Practitioners and advisors with the expertise to provide the guidance and knowledge your organization requires to successfully complete a HITRUST Validation or Certification. With our HITRUST compliance services, our qualified security advisors can get you started with scoping for your assessment and facilitating the self-assessment process to reduce the cost, time, and resources.

As your organization adopts new technology, we can help with a HITRUST Assessment to streamline information security compliance as part of the implementation process. Additionally, we can help you maintain compliance from year to year by monitoring required tasks completion and performing a myriad of third-party services required for vulnerability testing and reviews.

We are here if you need us.

Recent Blog

    Ready to Start?

      Ready to Start?

        Download Case study

          Download Guide

          Human Resources Director

          Posted On: 09 May, 2022

          Drop your CVs to

            Interested Position

            First Name

            Last Name


            Total Experience

            Mobile Number

            Upload Resume