HITRUST CSF v11: An Overview of the Update
“New year, new me!”
It seems we always hear that in January as if as soon as the ball drops in New York City, everyone wants to shed their old habits and begin anew, whether it’s changing things regarding their health or their work or something else entirely. We always seem to be most reinvigorated to make major moves in the first month of the year, and in 2023, HITRUST is also getting in on the action.
As of January 18, 2023, HITRUST CSF v11 is available within HITRUST’s proprietary tool, MyCSF, and this isn’t a New Year’s resolution that will soon fade. This update has introduced big changes, and given that HITRUST CSF serves many different kinds of organizations in many different industries, this update is going to have quite a ripple effect.
If you’re someone that has previously undergone a HITRUST assessment or certification, and if you’re still just considering it, don’t worry. We’re both a HITRUST assessor and a member of the HITRUST Authorized External Assessor Council, and in this article, we’ll get you up to speed on what’s new in HITRUST CSF v11.
There will surely be more details to come, but for now, this information will provide a foundation for you to build on as your HITRUST projects move forward.
Changes in HITRUST CSF v11
What’s notable in this new version can be boiled down to three things:
- A brand new assessment type
- Changes to existing HITRUST assessments
- An additional “inheritance” option where your third parties are concerned
The New HITRUST e1 Assessment
HITRUST CSF v11 still provides their familiar i1 or r2 certification options:
- The Implemented, 1-year (i1); and
- The Risk-Based, 2-year (r2) assessments.
But in this new version, you now have a third option: the HITRUST Essentials, 1-year (e1) assessment that provides entry-level assurance focused on the most critical controls to demonstrate that “essential cybersecurity hygiene” is in place.
With its fixed 44 requirements, this new assessment option is intended for organizations that have been deemed very low risk by their customers, or if you’re just seeking to quickly demonstrate basic security maturity.
For more information related to the e1 assessment, refer to the HITRUST data sheet: e1 Datasheet - HITRUST Alliance.
Changes to the HITRUST i1 Assessment
That being said, you still have your more familiar i1 and r2 options.
For those who may not already know, the i1 provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 assessment.
And, in HITRUST CSF v11, it’s the i1 that has received the most significant overhaul:
- New Fixed Amount of Requirements: Fixed 182 requirements during initial certification.
- Previously, the different assessment types had disparate requirements, whereas now the i1 includes the 44 e1 requirements.
- New Rapid Recertification: As discussed in HAA-2023-005.
- We will be publishing another article soon with more details.
For more information related to the i1 assessment, refer to the HITRUST data sheet: HITRUST-Implemented-1-Year-i1-Assessments.
Changes to the HITRUST r2 Assessment
And then you have the r2, which has been the flagship offering from HITRUST and will likely remain so. The r2 assessment is intended to provide a high level of assurance that focuses on a comprehensive risk-based specification of controls with an expanded approach to risk management and compliance evaluation. It’s also for those that want to utilize a robust risk-based framework as a basis for their security and/or privacy programs.
One of the changes you’ll notice in the new r2 validated assessments is that the evaluative elements—the testing components of a requirement statement previously located within the illustrative procedures—have been moved into the requirement statement language itself to provide better clarity on the expectations for each requirement.
In addition, v11 has removed the Geographic factor when scoping assessments. Facilities will still be required to be denoted and tested where applicable; however, the risk factor question that asked whether the in-scope facilities were “state,” “multi-state,” or “off-shore” has been removed and made agnostic.
That being said, with CSF v11, the entire HITRUST portfolio of assessments is traversable, meaning that they share common control requirements, allowing organizations to progressively achieve higher assurance levels throughout their HITRUST journey; starting with the e1 that is nested within the i1 that is nested inside the r2.
For more information related to the i1 assessment, refer to the HITRUST data sheet: HITRUST-Risk-Based-2-Year-r2-Validated-Assessment.
New Requirement Inheritance Option
Separate from these changes to the assessments is HITRUST CSF v11’s new provision for the inheritance of requirements from third parties that engaged a different version of HITRUST CSF.
Say one of your providers uses v9.x of CSF while you use v11—there may be requirements between the two that are significantly different. But now, HITRUST has implemented the “Legacy Inheritance Support” factor to allow v11 assessments to inherit similar baseline statements from v9.x assessments that are similar, but not exact.
To take advantage of this support, however, said baseline statement must be present in both the inheriting and inherited assessments.
Next Steps for HITRUST CSF v11
It’s a new year, and 2023 has opened with a new version of HITRUST CSF. With these newly expanded and adjusted HITRUST offerings, you can now choose the right assessment based on your organization’s risk, needs, and commitments to your reliant parties.
Thanks to HITRUST’s nesting approach between the e1, i1, and r2 assessments, it’s now easier than ever to start with an assessment that is less rigorous and incrementally increase your organization’s ability to eventually meet the risks that concern your reliant parties.
For more information on this new v11, MyCSF subscribers can check the CSF Summary of Changes document, which provides details on changes made as part of the version 11 upgrade. You’ll also find:
- An outline of the new features and changes in the assessments
- How these changes will impact existing assessments
- Information on the direct changes that will be applied to your existing assessment before your upgrade to version 11 (found in the preview function in HAA 2021-006)
We’ve also deconstructed HITRUST extensively—check out these articles for simplified explanations of several of this framework’s different facets:
- HITRUST: The Effect of TEFCA
- Do You Need a HITRUST External Assessor?
- How to Prepare Your Service Providers for HITRUST Certification
About Andrew Sullivan
Andrew Sullivan is a Senior Associate with Schellman. Prior to joining Schellman in 2019, Andrew worked as a Senior Associate at a Big 4 audit firm specializing in SOX audits from an IT perspective. As a Senior Associate with Schellman, Andrew Sullivan is focused primarily on SOC 1 and SOC 2 audits for organizations and across various industries.