Do HITRUST e1 and i1 assessments require policy documents?

HITRUST High Growth Tech Blog

Do HITRUST e1 and i1 Assessments Require Policy Documents

Unraveling the intricacies of HITRUST assessments is crucial for organizations striving to achieve and maintain information security compliance. Understanding the role of policy documentation in the HITRUST framework is paramount to ensuring a robust and effective compliance strategy. Join us as we explore the requirements, considerations, and best practices surrounding policy documents in HITRUST E1 and I1 assessments. Gain valuable insights to navigate the compliance landscape with confidence.

The new e1-validated HITRUST assessment offers a baseline level of assurance focused on implementing essential cybersecurity hygiene. The new i1-validated assessment provides a moderate level of assurance focused on implementing leading information security practices.

The r2, a risk-based two-year validated assessment, scores the thoroughness of policies, procedures, and implementation regarding a particular requirement statement.

The new e1 (Jan. 2023) and i1 (Jan. 2022) only score implementation, so does this mean policy or standards documents are not required?

The e1 and i1 measure the implementation of several controls against the requirements stated in the entity’s formal policy or standards documentation.

For instance, an evaluative element for a requirement statement may instruct the External Assessor to obtain and inspect the organization’s specific security control policy or standard. We will also compare it to the technical enforcement of the control implementation within its systems.

So, what if the organization has implemented the security control according to best practices but has no policy or standard practice requiring the level of security control?  The requirement statement can’t be scored 100%.

The security team may be doing the right thing, but since they are doing it without a mandate from leadership, the controls could be discarded, and the budget diverted quickly.

While many call policy without implementation a work of fiction, I call the implementation of a security control without a requirement in a policy or standard vigilantism.

Requirement statements and evaluative elements may not specifically call out testing a policy or standard, but when the user is required to follow a control, I would look to a policy document.

Eight of the 19 domains in the e1 require policies to receive a full score, while 17 of the 19 domains in the i1 require policies for scoring.

Would you like to learn more about tailoring your policies and procerus documents to meet compliance and justify your security controls? We can help your organization to craft policies. We will not only apply to the e1 or i1 HITRUST assessment but also prepare your organization for a r2 and improved governance of information security. Please contact risk3sixty for help.

Share to


Share to

Like our content? Subscribe and stay informed.