The Definitive Guide to HITRUST Certification: Process, Costs, & Timeline

What is HITRUST Certification?

Founded in 2007, HITRUST issues certifications to businesses and organizations that are independently assessed for compliance with its Common Security Framework (CSF). An organization can obtain HITRUST certification when all the required controls are fully implemented within the scoped environment. The HITRUST CSF is designed for use by a variety of organizations that may create, access, store, or share sensitive data. The CSF incorporates commonly accepted standards such as ISO, NIST, PCI, HIPAA, and COBIT within its baseline security controls.

Assurance of a secure operating environment is a challenge that has rapidly spread across industries. Recent breaches have shown how supply chain attacks can have significant downstream impacts. The interesting thing to note is that most recent high-profile attacks could have been prevented through the application of sound cyber hygiene practices, such as those required of organizations undergoing HITRUST certification. Several examples include the usage of strong, advanced authentication mechanisms, the ability to identify and prevent the usage of weak credentials, and more.

HITRUST solves this dilemma through the application of the HITRUST Common Security Framework (CSF) and a Validated Assessment, which if an organization obtains certain levels of assurance, results in a formal certification that is good for up to two years.

What HITRUST Certification Options Are Available?

HITRUST provides a structured suite of three key cybersecurity assessments and certifications—e1, i1, and r2—tailored to an organization’s size, risk profile, and security needs. Since all three assessments are built on the HITRUST Framework (HITRUST CSF®), previous assessment efforts can be leveraged when pursuing more advanced certifications. Additionally, organizations can inherit existing controls from certified cloud service providers to streamline their compliance efforts.

In response to emerging security challenges posed by AI technology, HITRUST has introduced pioneering AI security and risk management assurance solutions. Whether an organization is developing, deploying, or using AI, these offerings provide comprehensive, prescriptive control specifications and methodologies to help validate and demonstrate security and risk mitigation strategies.

 

HITRUST Certification Options – original image source: https://hitrustalliance.net/assessments-and-certifications

As of February 2025, here are the various assessment and certification options available to organizations.

HITRUST e1 – 1-year Validated Assessment

Focusing on foundational information security practices, the e1 assessment and certification is well-suited for startups and companies with lower risk profiles or simpler operations. It provides an entry-level, validated assessment and certification based on 44 fundamental security controls. Additionally, organizations can use these controls as a foundation to progress toward the more advanced i1 or r2 certifications.

HITRUST i1 – 1-year Validated Assessment

Focusing on leading security practices, the i1 assessment and certification is well-suited for organizations with established information security programs that are prepared to showcase leading security practices. It provides a higher level of assurance than the e1, incorporating a greater number of controls. Additionally, efforts to achieve an active i1 certification can contribute toward obtaining an r2 certification.

HITRUST r2 – 2-year Validated Assessment

Focusing on expanded practices intended to counter a dynamic threat landscape, the r2 assessment and certification is ideal for organizations that must demonstrate regulatory compliance with authoritative frameworks such as HIPAA, the NIST Cybersecurity Framework, and many others. It also accommodates expanded tailoring of controls based on specific risk factors. As the most comprehensive and rigorous HITRUST assessment, it provides the highest level of assurance.

AI Risk Management Assessment

The HITRUST AI Risk Management Assessment delivers in-depth insights based on 51 practical and relevant AI risk management controls. Aligned with ISO 23894 and the NIST AI RMF, this assessment offers a streamlined control framework, enabling organizations to evaluate and report their performance in accordance with ISO and NIST standards.

AI Security Assessment and Certification

The HITRUST AI Security Assessment equips AI platforms and service providers with practical, prescriptive security controls and methodologies to securely adopt AI technologies. It supports shared responsibility inheritance and, when combined with an e1, i1, or r2 certification, helps organizations efficiently meet multiple compliance requirements within a unified framework.

Separating the assessments and certifications in detail is a topic that will likely warrant its own discussion in the future, but for now, there are three key differences worth focusing on:

1. The e1 and i1 assessments are based on a static set of controls, unlike the r2, which is based on scoping factors. The r2 certification will still vary in size from one organization to another.
2. The e1 and i1 are based simply on the implementation of controls, with minimal dependence on document policies, unlike r2 assessments which consider five levels of maturity: policy, procedure, implemented, measured, and managed.
3. The e1 and i1 can lead to ONE year of certification, whereas the r2 can lead to two years of certification based on the completion of an interim assessment at the one-year mark. There is a rapid recertification process in place for the i1, which will focus on compliance with a subset of i1 requirements to be re-certified. There is no rapid recertification option for the e1 certification.
4. The AI Security assessment and certification may be paired with an e1, i1, or r2 to result in a formal certification of AI Security.

How Do I Get HITRUST Certified?

If you are reading this, you may well be considering obtaining a HITRUST Certification. Some people may call it CSF certification, but the correct term is HITRUST certification. This post will walk you through the overall HITRUST certification process. You will learn the major steps needed to prepare, be assessed, and obtain the certification. We will also highlight some of the pitfalls to avoid along the way.

If you are not quite ready to dive into the HITRUST assessment processes but would like to learn more about HITRUST, I recommend that you take a look at one of our earlier blogs that walks you through the basics of HITRUST compliance.

 

What is The Process to Become HITRUST Certified?

To begin the HITRUST certification journey, organizations can begin by downloading the HITRUST CSF framework at no cost, provided they meet eligibility requirements. This framework serves as a foundation for assessing risk and ensuring compliance. A crucial first step in this process is conducting a HITRUST Readiness Assessment, which helps organizations evaluate their current risk posture and identify potential gaps. Additionally, this assessment facilitates discussions with a HITRUST Authorized External Assessor firm, an entity vetted and approved by HITRUST to provide services related to the HITRUST Assurance Program and the HITRUST CSF framework, including various assessments.

The journey toward certification involves preparing for and undergoing either a HITRUST e1, i1, or r2 Assessment. To streamline this process, organizations can utilize HITRUST MyCSF, a SaaS platform designed to help entities efficiently prepare for a Validated Assessment. Following the assessment, the HITRUST Assurance and Compliance teams will review the findings and, if the organization meets the necessary criteria, issue a HITRUST Certification. The HITRUST Assurance Program follows a structured methodology with rigorous oversight to maintain consistency and quality across all assessments.

 

Is an Authorized CSF Assessor Required for HITRUST?

Yes! To achieve HITRUST certification, an organization is required to work with an External Assessor Organization that has been vetted and approved by HITRUST to perform validated assessments. At an organizational level, there are requirements around background, training, and certification of individual assessors.

To serve our clients as an external assessor organization, we maintain a staff of experienced and qualified assessors who are certified by HITRUST. Our HITRUST assessors complete annual training activities and hold industry licenses and certifications including the CCSFP, CHQP, CISA, CISSP, CPA, and others.

What is a HITRUST Audit?

Strictly speaking, HITRUST certification does not involve an audit. HITRUST certification involves assessments. How are HITRUST assessments different from an audit? Let’s explore the basic differences between audits and assessments:

• Audits are focused on ensuring compliance with a given framework or set of requirements. They are performed to ensure nothing is wrong.
• Assessments are focused on defining the current state of the environment within the context of a given ideal state. Assessments help identify weaknesses and measure the delta between the current state and the ideal state.

Here are a few other differences worth noting when comparing HITRUST to other audits and assessments.

• An audit generally results in some form of audit report, and within the world of information security this is often in the form of an auditor’s opinion about the implementation and operation of controls over a period of time (or even a point in time) – the audit report is NOT a certification, which is why the concept of “SOC 2 certification” is misleading as it does not exist.
• Certification confirms that an organization meets requirements associated with some formal standard. In this case, the HITRUST CSF is the standard, and HITRUST is the recognized accrediting body. Most frameworks in use do not have any such structure behind them.
• In some cases, an assessment is based on some legal or regulatory set of requirements. Examples of this are HIPAA or GDPR – while these are often used for audits, there are no certifications associated with them – another good example of where marketing terms are often used to describe something that does not exist. Learn more about the benefits of HITRUST certification and how it differs from HIPAA.

How to Prepare for a HITRUST Assessment

While you will need to receive and submit a validated assessment to HITRUST for certification, it is recommended that your organization start with a self-assessment or readiness assessment. A HITRUST self-assessment is performed internally by your own personnel against CSF, while a readiness assessment is typically performed by an independent third party. Either of these assessments will help familiarize your business with CSF requirements and identify any control gaps that should be addressed before going forward with a validated assessment. Read here to learn about potential HITRUST self-assessment pitfalls to avoid.

We recommend organizations have a readiness assessment performed by the HITRUST External Assessor Organization which will ultimately be performing their validated assessment. This provides you with the assessor’s perspective of the gaps that need to be addressed and allows you an opportunity to discuss any differing opinions regarding those gaps and how best to address them. Either way, be sure to be thorough. This is the time to catch any shortcomings. If you perform a self-assessment independently, the last step of preparation is to engage a HITRUST External Assessor Organization to perform your validated assessment.

Do You Need the HITRUST MyCSF Tool?

Another important item to decide is how much you plan to use the MyCSF tool for documenting the self and validated assessments performed for HITRUST certification. HITRUST gives you two options for using the MyCSF tool.

1. Purchase A CSF Report – Access for only the assessment (90 days)
2. Subscription – Full access year-round for an annual fee

Both will work. Each has its pros and cons. The first option is less expensive; however, you only have access to the tool for 90 days to complete a self-assessment and for your HITRUST External Assessor Organization to complete the validation of your assessment. The subscription option is more expensive, but may be worth it in the long run if you plan to maintain your HITRUST certification on an ongoing basis. The annual subscription allows you to track compliance throughout the year, access your information in the tool at any time, and roll forward the custom control set from CSF, as well as updates into your next year’s assessment.

The following chart illustrates the basic differences between the report-only and subscription options.

What is the Process for Completing a Validated HITRUST Assessment?

At this point, let’s assume you have performed a self/readiness assessment, remediated any control gaps, obtained access to the MyCSF tool, and engaged a HITRUST Certified CSF Assessor.

One important item to keep in mind is that all testing must be performed within a 90-day window, so organizations should consider resource availability and potential disruptions when planning for the assessment. The assessment process is not complicated in terms of process, but most organizations that struggle do so because of the enormity of the assessment.

How Many Controls Are Required for HITRUST Certification?

Most r2 assessments contain 300-400 requirement statements, with 250 being a typical minimum. The e1 and i1 assessments will include a static number of requirements with the current e1 containing 44 requirements and the current i1 including 182 requirements. Not all individual requirement statements are mandatory to be compliant for certification, but all requirement statements are evaluated based on scores that are averaged across each of the 19 domains in MyCSF. The AI security assessment adds approximately 44 requirements to its baseline assessment based on a number of scoping factors.

 

What Are the Detailed Steps for HITRUST Certification?

We’ve discussed the general steps for the HITRUST assessment and certification journey – but in this section, we will dive into the details of the assessment process which occurs during the 90-day testing window through final certification.

The validated assessment process is generally a three-phased process:

1. The organization scores itself and enters supporting evidence and a narrative in MyCSF inheritance requests may also be entered and submitted to service providers.
2. The external assessor performs validation testing which includes evidence reviews and on-site testing if needed.
3. The finalized assessment is submitted to HITRUST for review and potential certification.

Step One: Narrative, Self-Scoring, and Evidence Collection

This requires you or a member of your organization to evaluate your compliance with each required control against the one (1) or five (5) maturity levels depending on the assessment type as noted:

• Process (r2)
• Procedure (r2)
• Implementation (e1, i1, r2)
• Measure (r2)
• Managed (r2)

Along the way, you will supply certain evidence and a narrative based on guidance and other requests from your assessor. Controls are grouped within 19 different assessment domains. Once you’ve documented your assessment for all of the controls within a domain, you will submit the domain to your Certified CSF Assessor. This portion of the process typically takes four to six weeks for an r2 assessment and much less for an e1/i1 assessment.

Step Two: Assessor Review and Validation Testing, Submission to HITRUST

Upon receiving a submitted domain, the assessor begins validating your self-assessment scoring against the available evidence. Similarly, your assessor will be following HITRUST’s sampling guidance to test the controls against the same maturity levels.

If your assessments agree, the assessor will record the agreement in the tool and document the procedures performed to validate the assessment.

If the assessor disagrees with your self-assessment ratings, the assessor may return a control back to you in the MyCSF tool with comments.

If your assessor performed a readiness assessment (often referred to as a gap assessment) and you’ve addressed all the findings, you will have minimized the likelihood of running into surprises or disagreements between the self and validated assessments. If you skipped the preparation phase and did not perform a thorough self-assessment/readiness assessment or did not adhere to the HITRUST scoring methodology, this could be a very drawn-out, iterative process to come to an agreement. This portion of the process typically takes another four to six weeks for an r2 assessment, and much less for an e1/i1 assessment.

Step Three: HITRUST Review, Quality Assurance, and Certification

Once you and your assessor agree on scores and all evidence has been collected and entered into MyCSF by the assessor, the assessor submits the assessment to HITRUST for review. There are several phases of review and quality assurance (QA) the assessment must go through. First, a basic check for obvious issues (missing comments, missing attachments, etc.) is performed. Following this step, a QA analyst reviews the assessment and may request additional documentation, evidence, or clarification of testing activities, scoping factors or any component of the assessment HITRUST determines requires follow-up prior to issuance of the report and certification letter. This process typically takes anywhere from four to six weeks.

 

How Long Does It Take to Become HITRUST Certified?

For most organizations pursuing certification for the first time, it will take six to nine months to prepare for the assessment (which includes performing a readiness assessment, remediation, and allowing for the settling period required by HITRUST). It is then another three months to complete the validated assessment and obtain certification. Due to differences in the level of effort, the r2 assessment will naturally take longer to prepare for because of the multiple levels of maturity involved in the assessment. Preparation for an e1 or i1 assessment is expected to be more in line with preparations for a SOC 2 audit, which generally takes two to six months to prepare for, and then another four to six weeks to complete the assessment.

How Long is HITRUST Certification Good For?

The e1 certification is good for one year. This supports most third-party risk management processes in which most organizations leverage an annual cadence for the solicitation and review of audit reports and questionnaires as part of their vendor management program.

The i1 certification is good for one year. Similar to other audits performed by organizations including SOC 1 reports, SOC 2, PCI, HIPAA, and others, the full assessment must be performed annually and the certification issued by HITRUST each year. Recently, HITRUST introduced a method to achieve recertification for the i1 based on a process called rapid recertification, which will allow qualified entities to achieve recertification based on a reduced number of requirements.

The r2 certification is valid for two years from the date of certification. That said, after one year of certification, an organization must undergo an interim assessment to ensure the organization has made satisfactory progress on any gaps identified during the initial certification assessment and has continued to operate the information security program in a satisfactory manner. If everything checks out, then the certification is maintained until the two-year mark, at which time a new, comprehensive validated assessment is required.

The interim assessment is generally a much smaller subset of the original number of requirement statements, but the testing and evaluation criteria are the same as during the initial assessment. It’s important to understand that if an organization undergoes a significant change to the size, scope, or major systems in the environment, a full assessment will be required even if the organization is due for an interim assessment. The bottom line is that the scope of the assessment cannot change significantly between the initial assessment and the interim assessment. If it does, a full assessment will be required. Be sure to talk to your assessor about this as part of your strategic plans if you have any questions.

 

How Much Does It Cost to Become HITRUST Certified?

“How much does HITRUST cost?” This is a very typical question many clients ask during initial conversations. That question leads to a complex answer since there are three primary costs associated with achieving (and maintaining) HITRUST certification. HITRUST should not be considered a one-and-done assessment for the organization – as true compliance with HITRUST requirements requires the integration of a culture of security and compliance within the organization.

Organizations can expect to make three primary investments to achieve and maintain HITRUST certification.

1. Fees for access to MyCSF and assessment objects – The fees to access MyCSF and to obtain a validated assessment report (which is required for certification) will range from $20k to $50k+ annually for most organizations.
2. HITRUST External Assessor Assessment Fees – These are the fees paid to your assessor firm (your auditor) and they generally range from $40k to $250k+ annually. These fees can vary quite broadly based on the type of assessment (e1/i1/r2, readiness/validated) as well as the scope of the assessment. Any quality assessor firm will be willing to walk you through the scoping process to understand the size and complexity of the environment before quoting a specific price. The fees are most significant in the first year as this typically involves a readiness assessment as well as the first validated assessment, and then fees drop significantly as the organization transitions to the interim assessment and then a fresh validated assessment.
3. Internal costs tied to resources, tools, personnel, and capital – Just like a home requires ongoing investment to be designed, built, and maintained, your organization will need to make an investment in the people, processes, and technologies that serve as the structure of your HITRUST compliance program. It is difficult to place a rough figure on this due to variations between organizations, but the organization should be aware these investments will be significant.

Understanding Your HITRUST Certification Journey

We hope this has helped you understand the process of obtaining a HITRUST certification. The HITRUST process can be lengthy and requires preparation and planning. However, it can provide your clients and partners peace of mind knowing your organization has taken the steps necessary to protect the sensitive data in your possession.

As Linford & Co is a HITRUST External Assessor Organization, we would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions you may have about our HITRUST Audit & Certification services.

This article was originally published on 1/3/2018 and was updated on 2/19/2025.