The HITRUST Common Security Framework (CSF) is a comprehensive, threat-adaptive standard designed to help organizations strengthen their security posture and build trust with customers, partners, and stakeholders.
While HITRUST has long been known as the gold standard for healthcare organizations, its reach today extends far beyond hospitals and health insurance carriers. In fact, SaaS and technology companies accounted for more than a third (37%) of HITRUST certifications in 2024.
Whether you’re a fast-growing startup or an established enterprise, HITRUST offers flexible certification options that scale with your needs—and BARR Advisory is here to guide you through every step of the journey. Here’s how.
Recognized internationally, HITRUST stands out for its flexibility and responsiveness to emerging threats. Because the framework is updated more frequently than standards like SOC 2 or ISO 27001, it is better equipped to help organizations across industries keep pace with today’s fast-evolving risk landscape.
Organizations pursuing HITRUST certification can choose one of three assessment options that provide varying levels of assurance:
“Because all of the e1 requirements can be found in the i1 and r2 assessments, the e1 often functions as an excellent starting point for organizations that want time to implement more robust control environments,” Brianna Plush, senior specialist and HITRUST field manager on BARR’s attest services team, said in a recent webinar. “But for many organizations, the e1 assessment is their destination. The e1 is often right for startups or organizations that have a lower level of risk that just need to demonstrate that they’ve got the essential cyber hygiene in place.”
As a HITRUST Authorized External Assessor with a dedicated cybersecurity consulting practice, BARR is able to support your organization throughout the HITRUST journey, from readiness to certification. Here’s how it works.
In most cases, your path to HITRUST certification will start with our attest services team, who will perform a readiness assessment tailored to your chosen assessment option: e1, i1, or r2. This process results in a gap report—a detailed list of areas for improvement that must be addressed before certification.
Once any gaps are identified, our consulting team steps in to help you prioritize and remediate those issues efficiently and effectively. This includes support with:
“We work side by side with your team to help you build a security program that’s compliant, practical, and scalable,” said Teddy VanGalen, a senior consultant at BARR Advisory. “Our goal isn’t just to put you on the path to certification—it’s to help you implement effective controls that reduce risk and support long-term growth.”
BARR’s consulting team provides tailored guidance based on your organization’s size, complexity, and project timeline. For example, r2 certifications generally require more extensive remediation work than e1 or i1 assessments, which may be completed more quickly.
Once remediation is complete, our attest services team takes over to conduct the formal HITRUST assessment. At the conclusion of their assessment, they will submit the results to HITRUST for approval and final certification.
Under frameworks like ISO 27001, the firm performing the audit is not allowed to help fix identified gaps. HITRUST is structured differently, however, allowing for a more collaborative approach.
Here’s why organizations of all sizes can trust BARR to guide them from gap analysis to HITRUST certification:
In addition, when you partner with BARR for both HITRUST readiness and certification, you benefit from continuity across the entire engagement. This translates into real benefits for your team:
BARR is also one of a select few firms in the U.S. that is accredited to perform audits against all of the top cybersecurity frameworks: HITRUST, ISO 27001, SOC 2, and PCI DSS. This allows us to offer assessments across multiple frameworks simultaneously as part of our proven coordinated audit approach, reducing duplication and simplifying your audit experience.
No matter where you’re starting from—or where you’re headed—BARR Advisory is here to help you build trust, reduce risk, and achieve HITRUST certification with confidence.
Contact us today to learn how our HITRUST readiness and certification services can support your organization’s security and compliance goals.