The HITRUST i1 rapid recertification assessment (“rapid recert”) allows Assessed Entities and their External Assessors to evaluate a selection of i1 requirement statements to demonstrate that the control environment has not materially degraded since the previous i1 certification was obtained. Upon successfully demonstrating that the control environment has not materially degraded, the Assessed Entity is permitted to roll forward scores from the previously certified i1 assessment for the remaining requirement statements; thus, reducing the amount of testing required to complete the assessment.
15.5.1 The i1 rapid recert results in the same i1 assessment reports and i1 certification as a full i1 assessment (valid for one year from the date on the i1 certification).
Leveraging the i1 Rapid Recertification Assessment
15.5.2 An Assessed Entity must meet the following criteria to be eligible for an i1 rapid recertification assessment:
- The Assessed Entity must hold an i1 certification based on CSF v11 or later.
- The Assessed Entity must intend to assess the same scope assessed in the prior i1 assessment.
- No significant changes must have occurred since the previous i1 certification date in the Assessed Entity’s business or security policies, processes, controls, hosting locations, or technologies. For additional information on what constitutes a significant change, see Chapter 15.6 Significant Changes.
- The control environment must not have materially degraded since the previous i1 assessment was performed.
- The Assessed Entity must have an available assessment object in MyCSF.
- The Assessed Entity’s current i1 certification may not be the result of an i1 rapid recertification assessment.
15.5.3 When Assessed Entities are not eligible to complete an i1 rapid recertification assessment, a full i1 assessment must be completed to obtain an i1 certification.
NOTE: Even if eligible to perform an i1 rapid recert, an Assessed Entity may still choose to perform a full i1 assessment in lieu of the i1 rapid recert.
HITRUST CSF requirements included in i1 Rapid Recertification Assessments
The i1 rapid recertification assessment consists of all i1 requirement statements for the current CSF version at the time the i1 rapid recert is created. The i1 rapid recert is different in that certain requirement statements are not required to be evaluated and may instead have scores carried over from the previously completed full i1 assessment. The following section describes the selection of requirement statements that are required to be evaluated during the i1 rapid recertification assessment.
15.5.4 If the i1 rapid recertification assessment is created using a newer CSF version than that which was utilized for the Assessed Entity’s full i1 assessment, there may be additional requirement statements included in the i1 rapid recertification due to the quarterly threat analysis that impacts the i1 requirement statement selection. The additional requirement statements included in the newer CSF version are required to be evaluated in the i1 rapid recertification assessment.
15.5.5 A sample of 60 requirement statements that were scored (not marked as N/A) in the full i1 assessment need to be evaluated in the i1 rapid recertification assessment. Note that any requirement statements appeared in the full i1 assessment that are not included in the i1 requirement selection for the current CSF version are excluded from this sample.
15.5.6 Requirement statements that were marked as N/A during the full i1 assessment are required to be reviewed during the i1 rapid recertification assessment to confirm that the N/A rationale remains accurate. Note that any requirement statements marked N/A in the full i1 assessment that are not included in the i1 requirement selection for the current CSF version are excluded from the i1 rapid recertification.
15.5.7 Requirement statements that required a CAP during the full i1 assessment are required to be assessed during the i1 rapid recertification assessment. Note that any requirement statements requiring a CAP in the full i1 assessment that are not included in the i1 requirement selection for the current CSF version will be excluded.
All other i1 requirement statements for the current CSF version are included within the i1 rapid recertification assessment object but are not required to be assessed. By default, these requirement statements appear within the assessment in a read-only state and include the scores that were entered in the full i1 assessment. The Assessed Entity may optionally include any of these requirement statements for testing as part of the i1 rapid recertification by toggling the requirement statement to an editable state.
Detection of Control Degradation
Before creating an i1 rapid recertification assessment, the Assessed Entity must attest that the control environment has not materially degraded since the full i1 assessment was performed. During the performance of the i1 rapid recertification assessment, MyCSF monitors the scoring of requirement statements that are evaluated in the current i1 rapid recertification assessment and compares the scores to the previously completed i1 assessment.
15.5.8 If scores are lowered for two or fewer requirement statements, the i1 rapid recertification assessment may be submitted to HITRUST.
15.5.9 If MyCSF detects either three or four requirement statements with lower scores in the i1 rapid recertification assessment, the Assessed Entity and External Assessor will be presented with two options for how to proceed:
- Option 1: Expand the sample of requirement statements to be evaluated in the i1 rapid recertification assessment. If this option is selected, an additional sample of 60 requirement statements will be required to be assessed in the i1 rapid recertification assessment. When the additional 60 requirement statements are introduced, MyCSF will allow a total of five requirement statements with lower scores than the previously completed i1 assessment. If MyCSF detects six or more requirement statements with lower scores in the i1 rapid recertification assessment, option 2 must be followed.
- Option 2: Complete a full i1 assessment. If this option is selected, the i1 rapid recertification assessment may be converted to a full i1 assessment so the scoring and documentation already entered into MyCSF is retained.
15.5.10 If MyCSF detects five or more requirement statements with lower scores in the i1 rapid recertification assessment, a full i1 assessment must be performed. If this occurs, the i1 rapid recertification assessment may be converted to a full i1 assessment so the scoring and documentation already entered in MyCSF may be retained.
15.5.11 Upon acceptance of the assessment, HITRUST will perform a Quality Assurance review of the submitted assessment. The QA review includes HITRUST review of a random selection of requirement statements.
15.5.12 If scores are lowered during the QA review process, HITRUST will consider whether the scores have been lowered due to an issue with the operation of the control or due to an error in testing approach or documentation. Scores lowered due to an error in testing approach or documentation are not considered to be control degradation. Only scores lowered due to an issue with the operation of the control will count toward the threshold for control degradation.
15.5.13 If scores are lowered due to an issue with control operation, there is a possibility that the threshold for number of scores lowered to indicate material degradation is met during the QA review process. If this occurs, the Assessed Entity and External Assessor must expand the sample of requirement statements evaluated in the i1 rapid recertification assessment or complete a full i1 assessment according to the previous guidelines.
The following diagram provides a visual workflow of the control degradation detection process within an i1 rapid recertification.
