What Are the New HITRUST bC and i1 Assessments?
HITRUST certification just got quicker, more affordable, and less complex. Learn more about HITRUST i1 and why it could be a gamechanger for your organization.
The HITRUST Alliance has announced the HITRUST Basic Current State (bC) Assessment and the HITRUST Implemented One-Year (i1) Assessment, two new additions to their portfolio of assessment services that will be released at the end of 2021. While the names bC and i1 may call to mind sleek sports cars or high-powered computer chips, they actually won’t add on a host of new features or added complexity.
In fact, it’s what’s not included in these assessments when compared to the standard HITRUST Risk-Based, Two-Year (r2) Assessment (formerly known as the HITRUST CSF Validated Assessment) that makes them appealing. HITRUST i1, in particular, will be a game changer for compliance. Before you can decide if either of these new assessments are a good fit for your organization, let’s take a look at what they are and how they compare to HITRUST r2.
What Is HITRUST bC?
HITRUST bC is essentially a refreshed version of the HITRUST self-assessment that has been around for several years. Much like the other assessments in the HITRUST portfolio, it leverages the HITRUST Assurance Intelligence Engine™ (AI Engine) to “identify errors, omissions, and deceit.” The 71 static controls covered by this “good hygiene” assessment are grounded in the National Institute of Standards and Technology Internal Report (NISTIR) 7621: Small Business Information Security Fundamentals.
You may be wondering if your organization should pursue this self-assessment, which does not result in certification. One reason why you might investigate HITRUST bC is if you are contractually obligated to obtain i1 or r2 certification several years down the line, and you want to get a feel for some of the baseline controls that will be involved. Or, perhaps your business partner stipulates in a contract a timeline toward HITRUST certification that describes an initial first step as taking the self-assessment within six months.
While HITRUST bC could potentially prove useful in these scenarios, it’s important that you first talk with an external assessor firm to receive more guidance on the most efficient path to certification.
What Is HITRUST i1?
HITRUST i1 is a leaner version of the current HITRUST CSF Validated Assessment (rebranded r2) that is cheaper and easier to pass — yes, you read that correctly. HITRUST r2 assessments provide an extremely high level of assurance due to their extensive control requirements and program demands, but such a comprehensive security framework is not always necessary for every organization.
A HITRUST r2 assessment evaluates each security control against all five levels of the HITRUST maturity model:
- Policy — Are security expectations clearly documented, communicated, and approved by key stakeholders?
- Procedures — Are the operational elements of each control clearly defined and documented?
- Implemented — Is each control in the correct place and is it operating as it should?
- Measured — Is there a way for the organization to continuously monitor the control and determine when it isn’t operating correctly?
- Managed — Is the organization effectively responding to identified risks and taking action to address any problem areas?
A HITRUST i1 assessment, on the other hand, only tests the “implemented” maturity level from the list above. For this reason, HITRUST i1 requires less exertion and cost than the r2 assessment that most organizations are familiar with. Don’t let this fool you though; HITRUST i1 still lives up to the supreme quality standard for which HITRUST is known.
Similar to HITRUST r2, HITRUST i1 can be done either as a “readiness” assessment (results in a readiness report) or a “validated” assessment (results in a HITRUST validated report and, if scoring requirements are met, official certification). I recommend the majority of organizations start with a readiness assessment. This will help identify gaps and take steps toward remediation before pursuing the validated assessment.
Much like a validated HITRUST r2 assessment, a validated HITRUST i1 assessment must go through a thorough quality assurance review conducted by the HITRUST organization’s QA team before the certification is issued. Some compliance experts believe this rigorous QA process makes HITRUST i1 equally or even more reliable than other security assessments with similar objectives, such as SOC 2 or ISO 27001.
Read continue at — https://a-lign.com/hitrust-bc-i1-assessments/