Everything You Need to Know About the New HITRUST e1 Assessment

March 13, 2023 | HITRUST

HITRUST CSF recently added a new assessment to their portfolio: the HITRUST e1 Assessment. Included in the HITRUST CSF v11 release, the e1 Assessment was designed to cover foundational cybersecurity practices. Let’s take a closer look at the e1 Assessment and what this new option might mean for your organization.

What is the e1 assessment? 

The HITRUST e1 Assessment is a low effort yet reliable assessment that helps organizations focus on foundational cybersecurity controls and prepares them for the most critical cybersecurity threats. 

The e1 Assessment can serve as a stepping stone to more comprehensive and higher-effort assessments such as the HITRUST i1 Assessment or r2 Assessment. With only 44 controls, it is significantly more attainable than other cybersecurity assessments. 

The e1 Assessment is also more affordable than broader assessments—only a third of the cost of an i1 Assessment. 

Similar to other HITRUST assessments, the e1 Assessment is threat-adaptive, which means that as the threat landscape evolves, the requirements will also be updated to address future risks as they emerge.  This includes mitigations for the most critical cybersecurity threats such as ransomware, phishing, brute force, and abuse of valid accounts.

Think of the e1 Assessment as the minimum level of cybersecurity assurance your organization can achieve. While it reliably demonstrates an organization’s commitment to the basics, it doesn’t provide coverage of compliance related to laws like HIPAA or other leading cybersecurity practices. 

The e1 Assessment is valid for one year from its issuance date. After that year, BARR experts recommend building on the established cybersecurity foundation with a higher level assessment. 

Who needs an e1 Assessment?

The e1 Assessment is an excellent first step for any organization looking for validation of essential cybersecurity controls that plan to progress to more robust assessments in the future. BARR experts recommend the e1 Assessment to startups or other organizations that are just getting started in their cybersecurity journey. 

The e1 Assessment may also provide the appropriate level of assurance for organizations with very low levels of cybersecurity risk that want a low-effort and reliable review of their foundational cybersecurity controls. 

Deciding Which HITRUST Certification is Right for Your Organization

Depending on where you are in your security journey, your organization may benefit from the e1 Assessment or a more robust HITRUST assessment. To determine which assessment is right for your organization, BARR recommends first analyzing the driving factor behind getting HITRUST certified. Whether it’s to meet client expectations or an internal goal, having a trusted partner like BARR can help you determine which HITRUST assessment is best for your organization. 

When it comes to HITRUST assessments, the level of effort each assessment takes directly correlates to the level of assurance it provides. For example, while the e1 Assessment is low effort, it provides only basic assurance. The r2 Assessment requires significantly more effort, but a higher level of risk assurance. Take a look below at some key differences between the e1, i1, and r2 Assessments.


HITRUST e1, i1, r2 Assessment Difference

Why BARR for e1 Assessments

As trusted external assessors, BARR experts will follow our proven HITRUST process during e1 Assessment. We’ll work through each control to ensure that your environment meets all foundational cybersecurity requirements. Take a look at the proven process we use to guide organizations through successful HITRUST engagements. 

HITRUST e1 Assessment FlowchartInterested in learning more about the HITRUST e1 Assessment and whether or not it may be right for your organization? Contact us today.


Let's Talk