Written by: Andy Lin
The HITRUST Common Security Framework (CSF) plays a crucial role for organization across the industry as the comprehensive framework for information security and data privacy. The CSF provides organizations with a set of standardized controls and guidelines for managing cybersecurity risk. Its assurance program helps organizations demonstrate to their customers, partners, and stakeholders that security and privacy are both taken seriously.
Recently, the HITRUST Alliance released Version 11 of its CSF. While HITRUST continuously updates its framework, this revision sees a substantial transformation to the overall assurance program.
Changes to the Three Assessment Types
In Version 11, HITRUST redesigned their certification paths and the various service offerings available. A new assessment, the Essentials One-Year (e1) Validated, has been added to provide an entry-level certification over controls deemed as the most essential for cybersecurity hygiene. The e1 Validated will be the most appealing, lowest-effort certified assessment for smaller, low risk entities looking to understand their sophistication against fundamental cybersecurity controls. Organizations will also find a vast amount of low hanging fruits in this certification process. This places the e1 in a position to serve as the steppingstone to higher level validations.
The Implemented One-Year (i1) and Risk-Based Two-Year (r2) will continue to be more meticulous accreditations, requiring an enhanced number of control requirements. Despite that, there is an overall reduction in requirement statements across the board in v11. To enhance adaptability across assessment types, weaker v11 assessment types are inclusive subsets of stronger v11 assessments. This means that for organizations moving to the i1 from the e1 in Version 11, they will have completed their test e1 controls and have the option to carry over up to a quarter of those controls to the i1. A similar design is in place when going from the i1 to the r2.
The r2 will continue to be the typical format for most large organizations. The r2 will have a similar suite of controls across the domains but with an added test of controls that is tailored to the factors of the assessed entity. Additionally, the r2 validated will continue to depend on maturities across all 5 levels: policy, process, implementation, measures, and management. The r2 validated remains as the certification that shows the highest degree of commitment to cybersecurity, which is consistent with requiring the most time and resources.
Rapid Recertification Options and Interims
The new i1 assessment will have the option for rapid recertification. This is an accelerated recertification path for organizations that can demonstrate that their control environment has not materially degraded. Control degradation is the presence of controls that are no longer operating at the level they were during the previous assessment. When an assessment detects certain level of control degradation, the rapid assessment will be converted into a full i1 assessment. Organizations are eligible for an i1 rapid assessment if they held a v11 i1 validated during the prior year, if the scope of the assessment remains the same, and if there were no significant changes to their security landscape since their last assessment.
The i1 certification period will match the one-year certification of the e1 while the r2 will continue to provide the two-year certification path. With the r2, organizations will continue to see an interim in the gap years that assess the remediations of gaps during the previous year’s evaluation. The interim will continue to be unique to the r2 as the i1 and e1 will not as they are one-year certifications.
Stability Factors for the Journey to v11
While the v11 iteration sees numerous additions and changes, there are aspects implemented to support quality of life as organizations move to the new version. For starters, inheritance is compatible with older CSF versions, including any v9.X assessments. CSF v9.5 and v9.6 will continue to be supported. Other legacy versions of the CSF, including v9.1-9.4 assessment objects, will remain available until Q3 of 2023. Assessed entities have the capability of upgrading v9.5 and v9.6 of the r2 validated to v11, with the ability to preview before committing.
HITRUST at Wolf
While making decisions on assessment types and certification paths including readiness reviews, organizations on the path to version 11 should consult External Assessors. External Assessors, like Wolf, are audit firms that have been approved by HITRUST for performing assessments and services associated. With HITRUST CSF version 11 introducing nuances and redesigning processes across the assessment timeline, External Assessor are partners to entities seeking HITRUST certifications. We continue to service our clients with open communication in our collaborative journey to validation.
