HITRUST Framework: Explanation, Phases, and Components

The HITRUST certification process consist of several main phases: readiness, remediation, validated assessment and the HITRUST Quality Assurance review. The culmination of the HITRUST  assessment process is certification.

1. Readiness

The readiness step starts with a readiness assessment. The readiness assessment can be completed using the HITRUST MyCSF tool.

Once the scope is determined, we will will examine and measure all documentation relating to policies and procedures against current HITRUST requirements and controls. During this time, the assessor performs testing of controls to validate whether they are working as listed. All gaps are documented for remediation.

This can take ~ 2 months, depending on the size and complexity of the organization’s infrastructure.

2. Remediation

All performance or documentation gaps found during the readiness phase will be addressed by the organization during this time. The goal of this phase is to identify and ranks gaps in your organization by risk level. This provides the organization with opportunities for remediation before moving forward to the validated assessment.

During the remediation phase, authorized assessors should work to understand the organization’s environment and the normal flow of data through systems within the scope. They analyze requirements to understand the organization’s controls, identify gaps, and workable solutions to remediate any gaps found. Then, as the company works to remediate issues, assessors can provide ongoing support and review progress towards reaching compliance.

This process can take up to 6 months the first year, depending on the type of remedial actions required by the organization.

3. Validated Assessment

During the validated assessment, the assessor tests the defined control requirements of each designated category. An on-site risk assessment usually includes interviews with key personnel, reviewing supporting documents, sampling, penetration testing and vulnerability scans. Each requirement is evaluated or scored based on the following attributes control maturity:

  • Policy,
  • Process/Procedure,
  • Implementation,
  • Measured, and
  • Managed.

Based on these control maturity levels, the levels of compliance are:

  • Fully compliant,
  • Mostly compliant,
  • Partially compliant,
  • Somewhat compliant, and
  • Non-compliant.

During this assessment testing phase, authorized assessors review and validate the organization’s scores. Then, they send the final assessment to HITRUST for approval. The final decision about approving or denying the application for certification is made by HITRUST.

4. HITRUST’s Quality Assurance Review & Report Generation

Once the validated assessment is complete, the assessment is submitted to HITRUST for their quality assurance review and generation of the final report. The typical duration of HITRUST’s processing of a submission ranges from 4 to 8 weeks.

How long does it take to get HITRUST certified?

This depends mostly on your organization’s preparedness and the skilled guidance provided by your assessor. If this is the first time that your organization is working towards HITRUST certification, the process may take up to 12 months to complete successfully.

How Long Is HITRUST Certification Valid For?

Currently HITRUST offers several certification levels with different validation periods.

HITRUST Risk-based, 2-year (r2) Validated Assessment
HITRUST Implemented, 1-Year (i1) Validated Assessment
HITRUST Essentials, 1-year (e1) Validated Assessment

Types of Assessments

HITRUST Risk-based, 2-year (r2) Validated Assessmentis a tailorable assessment that focuses on comprehensive, prescriptive, risk-based controls specification and selection with a very rigorous approach to evaluation. These factors combine to ensure that the r2 consistently
provides the highest level of assurance for organizations with the greatest risk exposure.

HITRUST Implemented, 1-year (i1) Validated Assessment delivers a relatively moderate level of assurance for information-sharing situations with lower risk thresholds. The level of effort required for an i1 Certification is significantly less than an r2 Certification due to fewer control requirement statements and fewer maturity levels evaluated (implementation only for an i1).

HITRUST Essentials, 1-year (e1), Provides entry-level assurance focused on the most critical cybersecurity controls and demonstrates that essential cybersecurity hygiene is in place. The e1 provides an excellent starting point for enterprises early in their program maturity, or as the final assurance destination for low-risk organizations. The e1 requires less effort to complete and falls below the level of assurance conveyed by the more rigorous HITRUST i1 and r2 Assessments. More information on the e1 Essential assessment is available here.

More details on the type of assessments are available here.

HITRUST Self-Assessment Costs

Access to the required MyCSF tool costs $2,500 dollars (for 90 days, $10,000 for 1 year), and the validation report itself costs another $3,750 dollars. But these are far from the only expenses for most companies.

Organization of the HITRUST CSF

The HITRUST CSF is a framework that normalizes security and privacy requirements for organizations, including federal legislation (e.g., HIPAA), federal agency rules and guidance (e.g., NIST), state legislation (e.g., California Consumer Privacy Act), international regulation (e.g., GDPR), and industry frameworks (e.g., PCI, COBIT). It simplifies the myriad of requirements by providing a single-source solution tailored to the organization’s needs. The CSF is the only framework built to provide scalable
security and privacy requirements based on the different risks and exposures of each unique organization.

Key Components:

The CSF was designed with security and privacy professionals in mind. By taking an abstraction of what is core to and common across most dominant frameworks, the architecture was deliberately chosen to facilitate straightforward understanding and easy consumption. Each control category in the CSF includes control objectives and control specifications, leveraging the primary categories from the ISO/IEC framework, as well as the inclusion of specific categories for an information security management program and risk management practices–which collectively help to ensure organizational, regulatory, and system controls are properly specified and implemented. The core structure is then integrated with various authoritative sources, along with the experience and leading practices of the HITRUST Community, to create specific implementation requirements for each control.

All requirements are mapped to the related framework, standard, or regulation, and noted as an authoritative source.

Prior to starting the in-depth process, every company must choose which type of assessment to conduct. There are five options: 

  1. CSF Security Assessment 
  2. CSF Security & Privacy Assessment
  3. CSF Comprehensive Security Assessment 
  4. CSF Comprehensive Security & Privacy Assessment
  5. NIST Cybersecurity Assessment

Control Categories:

The CSF contains 14 control categories, comprised of 40 control objectives and 156 control specifications (references). The CSF control categories, accompanied with their respective number of control objectives and control specifications for each category are:

  1. Information Security Management Program (1, 1)
  2. Access Control (7, 25)
  3. Human Resources Security (4, 9)
  4. Risk Management (1, 4)
  5. Security Policy (1, 2)
  6. Organization of Information Security (2, 11)
  7. Compliance (3, 10)
  8. Asset Management (2, 5)
  9. Physical and Environmental Security (2, 13)
  10. Communications and Operations Management (10, 32)
  11. Information Systems Acquisition, Development, and Maintenance (6, 13)
  12. Information Security Incident Management (2, 5)
  13. Business Continuity Management (1, 5)
  14. Privacy Practices (7, 21)


Designed to leverage the best-in-class components for a comprehensive information risk management and compliance program, the HITRUST Approach integrates and aligns the following:

HITRUST CSF®—a robust privacy and security controls framework
HITRUST CSF Assurance Program—a scalable and transparent means to provide reliable assurances to internal and external stakeholders
HITRUST MyCSF®—an assessment and corrective action plan management SaaS platform
HITRUST Threat Catalogue™—a list of reasonably anticipated threats mapped to specific CSF controls
HITRUST Assessment XChange™—an automated means of sharing assurances between organizations
HITRUST Shared Responsibility Program—a matrix of CSF requirements identifying service provider and customer responsibilities
HITRUST® Third-Party Assurance Program—a third-party risk management process

More information, and resources regarding MyCSF is available here.

PTG Blog

Get email alerts when we publish new blog articles!

more blog posts:

Cloud Security

CIS Top 18 Controls (2022)

Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).

Read More
shallow focus photography of computer codes
Cloud Security

What is Threat Hunting?

Threat Hunting is a creative process. One’s abilities to think abstractly, challenge ideas, and be unafraid of failure lead to more knowledge and breakthroughs than someone who does everything the same way every time.

Read More
Pen Testing & VM

Web and API Penetration Testing

Modern web applications continue to be a challenge for organizations to secure as developers build increasingly complex business applications faster than ever. Many organizations are

Read More