What is HITRUST i1 Rapid Recertification?
In the hit film Interstellar, scientists discover a wormhole around the planet Saturn that leads to another galaxy far, far away and sends a team of astronauts through it to see if they can find a new home for humanity. It’s a journey that was made light years shorter—and more efficient.
Efficiency is valuable on most occasions, whether you’re using a rip in space and time to get slingshot into a new solar system, bypassing some traffic on your commute home by using an alternate route or brushing your teeth in the shower to save some time in the mornings.
It’s particularly valuable during compliance audits—when you have the opportunity to save time and resources, you absolutely take it! Even better is when the governing bodies themselves help you out in this. HITRUST recently took feedback related to their i1 Assessment and created a different kind of time-saving tool for organizations seeking to maintain their i1 Certification.
It’s called HITRUST i1 Rapid Recertification, and as HITRUST external assessors that can assist with this process, we’re going to break down how it works in this article.
You may be still deciding between the i1 and r2 assessments, but we’ll provide valuable insight into the former so that you can be sure which route to take in getting certified against the new v11 of the HITRUST CSF framework.
What is the HITRUST i1 Assessment?
When the i1 was released, it was intended to provide a lower-effort option compared to the flagship HITRUST Assessment offering—the r2.
Though both can help you provide assurance to your customers and other stakeholders regarding your cybersecurity, in comparing them, the baseline differences are clear:
- The i1 only evaluates control implementation whereas the r2 assesses other criteria.
- The i1 control set is static whereas the r2 can be tailored to specific organizational needs.
- The i1 is valid for only one year, whereas the r2 is valid for two.
For more details on the i1 and how it stacks up against the r2, check our article here.
Both certification assessments require a good bit of work, which is part of the reason there’s now been a change to your i1 Recertification options.
One common piece of feedback from assessed entities related to the i1 Assessment was that, given they are only valid for one year, the overall workload for an organization over a two-year period was not significantly less than the more rigorous r2 Assessment, which are valid for two years with an interim assessment.
To make i1 recertification easier, HITRUST has introduced the i1 Rapid Recertification:
- Essentially, the Rapid Recertification is an interim assessment that will allow you to renew your i1 Certification without retesting the full scope of 182 i1 controls from your initial certification process.
- At the end of the i1 Rapid Recertification, you’ll get the same kind of full assessment report as you did for your initial certification.
- However, you won’t be able to go this route every year you recertify—you can only go the “rapid” path every other year between full i1 assessments, so your journey would look like this:
What Happens During HITRUST i1 Rapid Recertification?
After you complete your initial certification and the time comes to recertify after one year, here’s how it would work. To qualify, there are a couple of stipulations you must meet:
- Your scope for certification cannot have changed at all.
- You must have used HITRUST CSF v11 for your initial certification. You cannot use Rapid(ly) Recertify against v11 if your initial assessment was completed using a different version.
If these conditions are both true, you can then take advantage of this lower-effort certification alternative (that’s in comparison to the full r2 assessment over the same two-year period).
And when you do qualify and proceed, the i1 Rapid Recertification operates similarly to the r2 Interim Certification process. A sample of 60 requirement statements that were scored—not N/A—in your full i1 Assessment will be evaluated in the i1 Rapid Recertification Assessment. Those randomly chosen requirements, along with any controls that previously required Corrective Action Plans, will be reevaluated by an external assessor over a 90-day fieldwork period.
When your assessor’s work is completed, submitted, and reviewed, HITRUST will then issue a new validation report for the i1—that’s assuming testing doesn’t reveal significant degradation of your controls. However, if your assessor does discover issues with your controls, you may be required to do more testing or pivot to a full assessment instead.
Achieving Adequate Scoring During HITRUST i1 Rapid Recertification
Control degradation key, so it’s important to understand what it means.
By definition, degradation is when a control demonstrates that it’s no longer operating at the level that it was during the performance of the previous i1 assessment—however, please understand that a lower score than before does not necessarily indicate control degradation.
Of course, too much material control degradation will, as we mentioned above, disqualify you from continuing an i1 Rapid Recertification, and a full assessment will become necessary. But some control fluctuation is permitted between your performance during the full i1 assessment and the i1 Rapid Recertification, so here’s how it shakes out from a scoring perspective:
- If 2 or fewer scores are lowered from your previous i1, you can roll over scores from the previous assessment.
- If 3 or more are lowered, you’ll need to expand an additional sample or do another full i1 assessment.
That being said, if your average domain scores meet the threshold for an i1 Certification, your Rapid Recertification will succeed in preserving your certification and you’ll receive the same full i1 Certification Report and i1 Certification Letter issued after you performed your full i1 Assessment.
On the other hand, if your average domain scores do not meet the required threshold(s), your Rapid Recertification would instead only result in an i1 Validated Assessment report (without Certification).
Next Steps for Your i1 Certification
In life, efficiency is generally appreciated—it’s always nice to get where we’re going faster, saving time and possibly money, especially when working toward compliance requirements. With the release of CSF v11, HITRUST has provided a new, more efficient avenue for those who choose to complete their i1 Assessment—the new, high-efficiency Rapid Recertification process.
However, i1 Rapid Recertification represents just one nuance of HITRUST certification—to streamline your experience with the HITRUST CSF framework even more, we recommend that you bolster your understanding by checking out our other content on different details:
About Kevin Keane
Kevin Keane is a Senior Associate with Schellman. Prior to joining the firm in 2020, Kevin worked as a Senior Technology Risk Professional and gained significant experience in many areas of IT audit such as SOX IT Controls, System Implementations, Automated Controls, and SOC Report Evaluations. As a Senior Associate at Schellman, Kevin primarily focuses on HITRUST audits for various healthcare organizations.