Articles & Blogs

HITRUST® introduces the leaner version of the Validated HITRUST Assessment – The Implemented, 1-Year (i1) Validated Assessment + Certification

April 22, 2022 | By Accorian

HITRUST, recently, announced the implementation of a new annual HITRUST Assessment + Certification, the i1. The aim of this release is to provide a cybersecurity assessment that remains continuously relevant by utilizing the latest threat intelligence to address information security risks and emerging cyber threats like ransomware and phishing. 

Experts highly tout the “Gold Standard” for information security assurances as the original HITRUST Validated Assessment, which is now dubbed the r2. The HITRUST Risk-based, 2-Year r2 Validated Assessment + Certification uses the HITRUST CSF® cybersecurity framework to unify and harmonize controls from many regulatory and industry frameworks, including HIPAA, GDPR, and PCI-DSS. It often considered as a sort of “one framework to rule them all”, and organizations that implement a properly scoped HITRUST r2 Assessment can include more than 40 authoritative sources to conform to a variety of cybersecurity regulations and standards. The HITRUST a 2-year risk-based and tailorable assessment, which continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.

The new HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification is the first information security assessment of its kind and possesses attributes that other assurance programs do not have. The assessment’s design and control selection place it in a new category of threat-adaptive information security assessments, which evolve with emerging risks and new threats while also retiring irrelevant controls.

The HITRUST i1 Assessment is designed to:

  • Designed to maintain control requirements that mitigate existing and emerging threats by providing updates as new threats are identified. The assessment is threat-adaptive, prescriptive, and concentrates on controls that are relevant to risk.
  • Sunset controls that have lost relevance and have limited assurance value based on the effort required to comply or assess.
  • Delivers greater reliability than other moderate assurance options due to its unique control selection and assurance program design.

The HITRUSTi1 Validated Assessment + Certification is a “best practices” assessment that consists of 219 pre-selected controls. The design of the assessment was based on relevant information security risks and emerging cyber threats. It provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP). Although the HITRUST i1 is a leaner version of the r2, the evaluation process is still incredibly rigorous and provides the same credibility associated with the original HITRUST Assessment.

Examination of the Five Maturity Levels Tested in r2 and i1 Assessments

  • Policy– Detail management’s requirements for the organization and in=scope systems
  • Procedures– Document the organization’s methods for implementing policies
  • Implemented– Demonstrate how the organization implemented policies and procedures
  • Measured– Examine how the organization evaluates its program
  • Managed– Show how the organization continuously manages risk


Although some organizations may consider the i1 assessment to be less assuring than the r2 assessment, the i1 provides several benefits due to its threat-adaptive approach paired with an annual assessment cycle. The HITRUST i1 concentrates solely on the implemented PRISMA maturity level, thus limiting the scope of assessment and helping reduce the preparation required. The i1 considers particular “Evaluative Elements” to confirm the complete implementation of each control, and an organization can be evaluated based solely on the level of implementation. An i1 assessment can serve as either a readiness assessment, (which includes an identification and remediation report), or a validated assessment, (which includes a requirements check and an official certification.)

It’s recommended that every organization start with a readiness assessment to get a detailed report on your organization’s cybersecurity posture and remediation requirements before performing a Validated i1 Assessment. This is important in finding vulnerabilities within your organization as it allows you to complete any recommended remediations before the HITRUST Q&A team conducts the validated assessment.

The Accorian Advantage

Accorian is a full-service security service provider organization with many years of experience providing data security compliance, information security program implementation, and testing services. As an authorized HITRUST CSF Assessor, Accorian has Certified HITRUST Practitioners and advisors with the expertise to provide the guidance and knowledge your organization requires to successfully complete a HITRUST Validation or Certification. Our qualified security advisors can initiate the scoping process for your assessment and facilitate the self-assessment process, reducing your costs, time, and resources with our HITRUST compliance services. As your organization adopts new technology, we can help with a HITRUST Assessment to streamline information security compliance as part of the implementation process. Additionally, We can help you maintain compliance by monitoring task completion and performing required third-party services for vulnerability testing and reviews. We are here if you need us.

Recent Blog

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide