Everything You Need to Know About the New HITRUST e1 Assessment
Published 04/07/2023
Originally published by BARR Advisory.
Written by Claire McKenna.
HITRUST CSF recently added a new assessment to their portfolio: the HITRUST e1 Assessment. Included in the HITRUST CSF v11 release, the e1 Assessment was designed to cover foundational cybersecurity practices. Let’s take a closer look at the e1 Assessment and what this new option might mean for your organization.
What is the e1 assessment?
The HITRUST e1 Assessment is a low effort yet reliable assessment that helps organizations focus on foundational cybersecurity controls and prepares them for the most critical cybersecurity threats.
The e1 Assessment can serve as a stepping stone to more comprehensive and higher-effort assessments such as the HITRUST i1 Assessment or r2 Assessment. With only 44 controls, it is significantly more attainable than other cybersecurity assessments.
The e1 Assessment is also more affordable than broader assessments—only a third of the cost of an i1 Assessment.
Similar to other HITRUST assessments, the e1 Assessment is threat-adaptive, which means that as the threat landscape evolves, the requirements will also be updated to address future risks as they emerge. This includes mitigations for the most critical cybersecurity threats such as ransomware, phishing, brute force, and abuse of valid accounts.
Think of the e1 Assessment as the minimum level of cybersecurity assurance your organization can achieve. While it reliably demonstrates an organization’s commitment to the basics, it doesn’t provide coverage of compliance related to laws like HIPAA or other leading cybersecurity practices.
The e1 Assessment is valid for one year from its issuance date. After that year, we recommend building on the established cybersecurity foundation with a higher level assessment.
Who needs an e1 Assessment?
The e1 Assessment is an excellent first step for any organization looking for validation of essential cybersecurity controls that plan to progress to more robust assessments in the future. we recommend the e1 Assessment to startups or other organizations that are just getting started in their cybersecurity journey.
The e1 Assessment may also provide the appropriate level of assurance for organizations with very low levels of cybersecurity risk that want a low-effort and reliable review of their foundational cybersecurity controls.
Deciding Which HITRUST Certification is Right for Your Organization
Depending on where you are in your security journey, your organization may benefit from the e1 Assessment or a more robust HITRUST assessment. To determine which assessment is right for your organization, we recommends first analyzing the driving factor behind getting HITRUST certified. Whether it’s to meet client expectations or an internal goal, having a trusted partner can help you determine which HITRUST assessment is best for your organization.
When it comes to HITRUST assessments, the level of effort each assessment takes directly correlates to the level of assurance it provides. For example, while the e1 Assessment is low effort, it provides only basic assurance. The r2 Assessment requires significantly more effort, but a higher level of risk assurance. Take a look below at some key differences between the e1, i1, and r2 Assessments.
Related Articles:
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024