BARR Advisory’s Simplified Roadmap to HITRUST Certification

July 10, 2024 | HITRUST

HITRUST is considered the international gold standard of security. Achieving HITRUST compliance demonstrates your organization meets the highest standards in information security. As a HITRUST Authorized External Assessor, BARR Advisory has extensive experience in the HITRUST process. We serve as your trusted partner every step of the way through our two-phase, five-step HITRUST roadmap to certification. 

Here’s our simplified overview:


During this period, BARR will identify control weaknesses that need correction. The advantage of performing a readiness assessment prior to a HITRUST assessment is that it gives management an opportunity to address control gaps prior to an inaugural examination, as well as helps with required risk assessment activities. 

Step 1: Plan & Define Scope

BARR provides guidance on purchasing, setting up, and working with the HITRUST MyCSF® tool. We’ll help you identify stakeholders, define scope, and gather the necessary information to maximize the efficiency of your HITRUST CSF journey, saving you time and money.

Step 2: Readiness Assessment

BARR will walk you through the process of gathering information and completing questions within the readiness assessment. We will assess controls and provide recommendations for remediation. Then, we will work with you to implement the necessary policies and procedures to prepare you to obtain your HITRUST CSF Certification successfully. Once these controls are remediated, they’ll be implemented for a period of 90 days prior to your assessment. 


Throughout the validated assessment phase, a number of testing procedures will take place to ensure compliance gaps have been appropriately identified and controls are implemented and operating effectively. 

Step 3: Validation

Once all identified compliance gaps are addressed, the next step to certification is to undergo a HITRUST CSF Validated Assessment. BARR’s certified practitioners will use the HITRUST MyCSF® tool to assess your environment against HITRUST CSF requirements. 

Step 4: HITRUST Quality Analysis

BARR will submit the assessment to HITRUST for Quality Analysis, which can take four to 10 weeks. If approved, you will be issued a certified report by HITRUST. If HITRUST denies your application for certification, they will issue you a validated report that outlines the gaps that need remediation. 

Step 5: Interim Assessments

Regular check-ins ensure ongoing effectiveness and improvement on average scores across the HITRUST CSF requirements. Recertification occurs one year after the initial certification and follows a similar process as the original certification.

The timeline for the HITRUST assessment process can vary depending on the type of HITRUST certification you pursue. On average, the e1 Assessment takes three months, the i1 Assessment takes 6-12 months, and the r2 Assessment takes 18-24 months. 

If you’re interested in more information about HITRUST certification, reach out to BARR for a free consultation or join us for our weekly HITRUST Open House every Wednesday at 11 a.m. CST.

Let's Talk