The HITRUST i1 and e1 rapid assessments allow Assessed Entities and their External Assessors to apply a rapid sampling approach to eligible sets of requirement statements in order to demonstrate that the control environment has not materially degraded since the previous certification was obtained. Upon successfully demonstrating that the control environment has not materially degraded, the Assessed Entity is permitted to roll forward scores from the previously certified i1 or e1 assessment for the remaining requirement statements in the set; thus, reducing the amount of testing required to complete the assessment.
i1 Rapid Assessment Overview
After completing an i1 combined validated assessment in year 1, the assessed entity may be eligible to complete an i1 rapid assessment in year 2. The i1 rapid assessment will allow the rapid sampling approach, described below, to be applied independently to the core i1 requirement statements and any compliance factor that includes more than 60 requirement statements. If any compliance factors included in the combined assessment included 60 or fewer requirement statements, those requirement statements must all be assessed in the i1 rapid assessment
e1 Rapid Assessment Overview
After completing an e1 combined validated assessment in year 1, if the combined assessment included a compliance factor that adds more than 60 requirement statements to the assessment, the assessed entity may be eligible to complete an e1 rapid assessment in year 2. The e1 rapid assessment will allow the rapid sampling approach, described below, to be applied independently to any compliance factor that includes more than 60 requirement statements. The core e1 requirement statements and any compliance factors that include 60 or fewer requirement statements must all be assessed in the e1 rapid assessment.
15.5.1 The i1 and e1 Rapid Assessment results in the same i1 or e1 assessment reports (HITRUST CSF Reports and Insights Reports) and i1 or e1 certification as a full i1 or e1 assessment (valid for one year from the date on the i1 or e1 certification).
i1 and e1 Rapid Assessment Eligibility
Eligibility to apply the rapid sampling approach is determined individually for each set of requirement statements included in the assessment (where a “set” is the set of e1 core, i1 core, and each set of requirement statements added by a single Compliance factor).
Eligibility for each set of requirement statements is determined as follows:
Core Requirements
15.5.2 e1 core requirement statements are never eligible for the rapid sampling approach due to the number of requirement statements in the set being 60 or fewer.
15.5.3 i1 core requirement statements may be eligible for the rapid sampling approach based on the Assessed Entities ability to meet the eligibility criteria below.
Authoritative Source Requirements
15.5.4 Compliance factors that include 60 or fewer requirement statements are never eligible for the rapid sampling approach due to the number of requirements in the set being 60 or fewer.
15.5.5 Compliance factors that include more than 60 requirement statements may be eligible for the rapid sampling approach based on the Assessed Entities ability to meet the eligibility criteria below
Eligibility Criteria
15.5.6 For the Assessed Entity to be eligible to apply the rapid sampling approach it must hold a full MyCSF Subscription and have an available object in MyCSF. Assessed Entities who used the Lite Bundle must upgrade to at least a Professional subscription.
15.5.7 15.5.7 For the Assessed Entity to be eligible to apply the rapid sampling it must have an active e1 or i1 certification resulting from the performance of a full e1 or i1 validated assessment using CSF v11 or later.
15.5.8 The Assessed Entity must sign the management representation letter for the e1 or i1 rapid assessment on or prior to expiration of the previous certification. There is no ability to extend e1 or i1 certifications past the one year expiration.
15.5.9 For the Assessed Entity to be eligible to apply the rapid sampling approach it must assess the same scope assessed in the prior e1 or i1 assessment.
15.5.10 If all of the General Eligibility Criteria are met, then for each set of requirement statements potentially eligible for rapid sampling, the following criteria will determine if that particular set of requirement statements may be sampled.
- The set contains more than 60 requirement statements
- The control environment assessed by this particular set of requirement statements has not materially degraded since the previous e1 or i1 assessment was performed.
- No significant changes have occurred since the previous e1 or i1 certification date in the Assessed Entity’s business or security policies, processes, controls, hosting locations, or technologies.
15.5.11 When an Assessed Entity is eligible to apply the rapid sampling approach to at least one set of requirement statements and ineligible to apply the rapid sampling approach to others, an i1 or e1 rapid assessment may be performed. Within the rapid assessment, the eligible sets of requirement statements will be sampled, while the ineligible sets will be assessed in full.
NOTE: Even if eligible to perform an i1 or e1 rapid assessment, an Assessed Entity may still choose to perform a full i1 assessment in lieu of the i1 rapid assessment.
Rapid Sampling Approach
For each set of requirement statements that is determined to be eligible for the rapid sampling approach to be applied, the following section describes the selection of requirement statements that are required to be evaluated during the rapid assessment.
15.5.12 If the e1 or i1 Rapid Assessment is created using a newer CSF version than that which was utilized for the Assessed Entity’s previous e1 or i1 assessment, there may be additional requirement statements included in this set of requirement statements due to the HITRUST threat analysis and other updates to the CSF.
15.5.13 A sample of 60 requirement statements that were scored in the parent e1 or i1 Assessment from this set. Note that the i1 core sample of 60 requirement statements will include all requirement statements that required a CAP in the previous i1 assessment.
15.5.14 All requirement statements from this set that were marked as N/A during the previous e1 or i1 assessment.
All other requirement statements in the set are not required to be assessed. By default, these requirement statements appear within the assessment in a read-only state and include the scores that were entered in the previous e1 or i1 Assessment. If the Assessed Entity would like to show improvement on a requirement statement that is not already required to be assessed in the e1 or i1 Rapid Assessment, the Assessed Entity may optionally include any of these requirement statements by toggling the requirement statement from read-only to an editable state.
Detection of Control Degradation
During the performance of the e1 or i1 Rapid Assessment, MyCSF monitors the scoring of the sampled requirement statements in the Rapid Assessment and compares them to the parent e1 or i1 assessment to determine whether any scores have been lowered. The control degradation detection process described below and illustrated in the below flowchart is applied independently to each set of sampled requirement statements.
15.5.15 For each sample of 60 requirement statements, if scores are lowered for two or fewer requirement statements, the sample is accepted and no further testing of requirement statements in that set is required.
15.5.16 If MyCSF detects either three or four requirement statements in a single sample of 60 requirement statements with lower scores in the Rapid Assessment, the Assessed Entity and External Assessor have the option to expand the sample of requirement statements to assess an additional sample of 60 requirement statements from the set or assess the set of requirement statements in full if there are fewer than 60 additional requirement statements in the set to assess.
- Case I – three lowered scores: If the Assessed Entity opts to expand the sample by an additional 60 requirement statements, MyCSF will allow two or fewer requirement statements with lower scores in the additional sample. If MyCSF detects three or more requirement statements with lower scores in the additional sample, that set of requirements must be assessed in full.
- Case II – four lowered scores: If the Assessed Entity opts to expand the sample by an additional 60 requirement statements, MyCSF will allow one or fewer requirement statements with lower scores in the additional sample. If MyCSF detects two or more requirement statements with lower scores in the additional sample, that set of requirements must be assessed in full.
15.5.17 If MyCSF detects five or more requirement statements with lower scores in a single sample of 60 requirement statements, that set of requirement statements must be assessed in full.
15.5.18 Upon acceptance of the assessment, HITRUST will perform a Quality Assurance review of the submitted assessment. The QA review includes HITRUST review of a random selection of requirement statements from each set of requirement statements (where a “set” is the set of e1 core, i1 core, and each set of requirement statements added by a single Compliance factor).
15.5.19 If scores are lowered during the QA review process, HITRUST will consider whether the scores have been lowered due to an issue with the operation of the control or due to an error in testing approach or documentation. Scores lowered due to an error in testing approach or documentation are not considered to be control degradation. Only scores lowered due to an issue with the operation of the control will count toward the threshold for control degradation.
15.5.20 If scores are lowered due to an issue with control operation, there is a possibility that the threshold for number of scores lowered to indicate material degradation is met during the QA review process. If this occurs, the Assessed Entity and External Assessor must expand the sample of requirement statements evaluated in the e1 or i1 rapid assessment or complete a full e1 or i1 assessment according to the previous guidelines.
The following diagram provides a visual workflow of the control degradation detection process within an e1 or i1 rapid assessment. This control degradation detection process is applied independently to each set of sampled requirement statements (i.e. the core requirement statements and each added Compliance factor).