What Is HITRUST
HITRUST is a widely recognized certifiable framework that helps organizations demonstrate sound information protection practices across various industries, particularly in healthcare, financial services, and technology. The HITRUST framework consolidates and harmonizes key components from standards like HIPAA, NIST, ISO 27001, and GDPR into a certifiable, scalable approach to cybersecurity and privacy.
HITRUST helps organizations:
Reduce compliance fatigue by cross-mapping requirements to multiple frameworks
Demonstrate trust to customers, partners, and regulators
Align with industry best practices in a structured, certifiable way
To accommodate organizations at different stages of maturity, HITRUST offers three levels of assurance:
e1 (Essentials)
i1 (Implemented)
r2 (Risk-Based)
This article focuses on the e1 and i1 assessments, which are most commonly used by organizations early in their compliance journey or looking for moderate assurance without the complexity of the r2.
HITRUST e1: Essentials Assessment
The HITRUST e1 assessment provides a lightweight, entry-level assurance for essential cybersecurity practices. It serves as a quick and cost effective way for organizations to demonstrate that fundamental security controls are in place.
Key Characteristics
Covers 44 foundational requirements across core security domains
Designed to be fast (typically completed in 3–6 months) and cost-effective
Demonstrates alignment with baseline security expectations
Validation is self-attested. No external assessor required for validation
Threat-adaptive: updated to reflect emerging risks such as phishing, ransomware, and AI-based threats
Attestation is valid for 1 year
Control Domains (e1)
Access Control
Awareness and Training
Endpoint Protection
Mobile Device Security
Encryption and Key Management
Physical and Environmental Security
Vulnerability Management
System and Communications Protection
Workstation Security
Configuration Management
Best For
Small organizations or startups
Companies just beginning their HITRUST journey
Vendors seeking initial assurance for prospective customers
Traversable
The e1 is designed to be traversable, meaning the work done here can be reused or built upon when moving toward i1 or r2 as security programs mature.
HITRUST i1: Implemented Assessment
The HITRUST i1 assessment offers moderate assurance by evaluating the implementation of well-established security controls. It’s more rigorous than the e1 but less complex than the fully risk-based r2.
Key Characteristics
Covers 182 requirements based on best practices from frameworks like NIST CSF, ISO 27001, and CIS
Requires third-party validation from a HITRUST Authorized External Assessor
Assesses actual implementation but not control maturity or risk-adjustment like r2
Designed to be completed in 6–12 months
Valid for 1 year
Supports Rapid Recertification in year two if you've previously completed a validated i1
Offers optional Insights Reports if layered with regulatory or risk-based compliance factors (e.g. HIPAA, AI risk)
Threat-adaptive, updated regularly based on emerging threat intelligence
Control Domains (i1)
Access Control
Asset Management
Configuration Management
Data Protection and Privacy
Endpoint Protection
Identity and Authentication
Incident Response
Network Protection
Physical and Environmental Security
Risk Management
Security Operations
System and Communications Protection
Threat and Vulnerability Management
Workforce Security and Awareness
Best For
Mid-market or growing organizations
Vendors responding to increasing customer security demands
Companies needing a repeatable, audit-backed attestation without going full r2
Tailorable
The i1 can be tailored to include specific risk factors or regulatory layers depending on your business needs, offering flexibility as your compliance program evolves.
Choosing Between e1 and i1
If you're deciding between the two, consider the following:
If you're looking for a fast, cost-effective way to demonstrate basic cybersecurity readiness, e1 is a great entry point.
If your customers or partners require third-party validation, or if you're seeking stronger assurance of implemented controls, i1 is likely the better fit.
Some organizations begin with e1 to establish a foundation, then move to i1 as their security and compliance programs mature.
You may also have the option to pursue either a readiness assessment (internal preparation only) or a validated assessment (external audit and certification).
Side-by-Side Comparison: e1 vs. i1
Feature | e1 (Essentials) | i1 (Implemented) |
# of Requirements | 44 | 182 |
External Validation | No | Yes |
Assessment Type | Self-attested or readiness | Third-party validated |
Certification Length | 1 year | 1 year |
Completion Timeline | 3–6 months | 6–12 months |
Threat-Adaptive | Yes | Yes |
Rapid Recertification | N/A | Available after first year |
Insights Reports Option | Optional | Optional |
Best For | Startups, early-stage orgs | Mid-sized vendors, B2B providers |
Certification Approach | Traversable (build toward i1 or r2) | Tailorable (adapt to business needs) |
What to Expect from the Process
Scoping – Identify which systems and controls are in scope
Evidence Collection – Gather documentation or operational proof for each control
Validation (i1 only) – External assessor reviews implementation
Pre-QA Review – Preview draft results with assessor before submission
Remediation (if needed) – Address gaps found during review
Certification – Issued once HITRUST requirements are successfully met
NOTE: HITRUST assessments are managed through the MyCSF platform, where you document controls, upload evidence, coordinate with your assessor, and complete QA review. Drata supports your readiness by helping map controls, track requirements, and monitor compliance progress.
Compliance Guidance
Before pursuing certification, complete a gap assessment to identify and address documentation or operational gaps.
After certification, continue maintaining evidence and control performance, especially important for i1 recertification or future transition to r2.
Whether you choose e1 or i1, both assessments demonstrate a proactive security posture that builds trust with customers and partners