HITRUST CSF Version Update and New Assessment Types

The HITRUST CSF is a certifiable security and privacy framework that helps organizations secure, comply, and assess against several security and privacy-related standards, regulations, and recommended practices.

HITRUST is used by organizations in many different highly regulated industries, such as health care organizations, technology companies, insurance plan providers, and any organization that handles different classifications of sensitive data.

With its version 11 update, HITRUST has maintained its commitment to improve the framework. The latest version helps organizations better manage risk by staying updated on the current cyberthreat landscape.

HITRUST CSF Version 11

HITRUST recently launched version 11, and is available to use. Version 10 was skipped.

HITRUST is decommissioning the version 9.x series. Organizations currently using version 9.1 through 9.4 must switch over to version 11 or a higher version of 9.x—either 9.5 or 9.6—by 2024.

Timing and Deadlines

Organizations have until December 31, 2024, to submit assessments using versions 9.1 through 9.4, but any new assessment objects using these versions must be created by September 30, 2023.

Additionally, any organizations using version 9.6.2 or earlier for one-year (i1) assessments must create the assessment object before April 30, 2023, and submit by July 31, 2023.

Organizations currently using versions 9.5 or 9.6 for r2 assessments can continue to use those versions, but they will also be decommissioned in the future.

Three HITRUST Certification Assessment Types

The following is a cursory explanation of each assessment type. For more details on each assessment, visit HITRUST Assurance Advisories.

HITRUST Essentials One-Year (e1) Assessment and Certification

The e1 assessment is a new assessment type for organizations that want an initial assessment of essential cybersecurity controls to evaluate the implementation and maturity of their controls and provide a means for certification. It’s meant to help lower risk entities evaluate their cyber hygiene and cybersecurity practices and for organizations still developing their cybersecurity program.

The assessment includes 44 requirement statements that address fundamental recommended practices across 19 domains. HITRUST assessments always include those same 19 domains.

The certification is good for one year.

HITRUST Implemented One-Year (i1) Assessment and Certification

The i1 assessment builds on the e1 certification. The assessment includes 182 requirement statements, 44 of which are included in the e1 assessment. 182 requirement statements are based on the latest ongoing cybersecurity threats. All requirement statements within each assessment type may change as the cybersecurity threats change.

This assessment is for organizations that have a cybersecurity program built out and want to evaluate their maturity against the 182 requirements. It may be used as an initial assessment for organizations that know their implementation is strong but don’t have or aren’t sure of the policies and procedure requirements for the r2 assessment.

Organizations can be certified for one year following a validated i1 assessment.

HITRUST Risk-Based, Two-Year (r2) Assessment and Certification

The r2 assessment can have any number of requirement statements and it all depends on the scope of the assessment. Most assessments are around 300–350 statements, but could be over 1,500. At a minimum, the r2 assessments will assess maturity levels for:

  • Policy
  • Procedures
  • Implementation of each requirement statement

With an r2 HITRUST assessment, the maturity of the organization has been scored, gaps and corrective action plans have been identified, and the organization is moving toward said corrective action plan and increased maturity.

The r2 certification is valid for two years as long as the organization passes their interim assessment, which must be done within one year of obtaining certification.


Why Switch to HITRUST CSF Version 11?

Version 11 e1 and i1 assessments were designed to be threat-adaptive through the selection of requirement statements that address active cyber security threats. The inclusion of i1 requirement statements in the r2 assessments introduces a threat-adaptive assessment for all assessment types.

Version 11 also includes new and refreshed authoritative sources and mappings by adding National Institute of Standards and Technology (NIST) SP 800-53 Revision 5, the Health Industry Cybersecurity Practices, among others.


Why Not Upgrade to Version 9.5 or 9.6?

If you’ve been using version 9.1 to 9.4, moving to version 11 is recommended to make use of the changes and improvements made to the framework. Version 9.5 and 9.6 will eventually be decommissioned. If you must switch, you might as well invest in upgrading to the latest version to reduce the hassle of multiple version implementations and to leverage the latest enhancements and clarifications made to the requirement statements.

Is There a Risk to Using 9.5 or 9.6 Instead of Moving to HITRUST CSF Version 11?

While all active HITRUST frameworks provide a high level of assurance, Version 11 is based on the latest ongoing cybersecurity threats and improved control mappings. If you already assess against version 9.5 or 9.6, the recommendation is to stay with that version and start to compare the changes made to version 11 so you can update policies, procedures, or implemented evidence to eventually move to the new version.  

Could HITRUST Certification Be the Next Level of Your Security Program?

Some organizations have begun to utilize HITRUST assessments instead of SOC examinations to evaluate a vendor’s maturity of their security and privacy controls.

Unlike SOC examination, also known as SOC audits, organizations cannot define the controls with a HITRUST assessment. HITRUST requirements are more specific, maturity-based, and harder to meet.

We’re Here to Help

For guidance on implementing HITRUST version 11 or developing or improving a security program at your organization, contact your Moss Adams professional. You can also visit our HIPAA & HITRUST Compliance Services page for additional resources.

Contact Us with Questions


Enter security code:
 Security code