Which of the following are true with e1, i1, and r2 assessment types?

All three validated assessment types—e1, i1, and r2—evaluate controls considered core to cybersecurity hygiene, though at different levels of assurance. For example, e1 is a low-effort model focusing on essential hygiene, i1 is a moderate-assurance model, and r2 is a comprehensive, risk-based model. Requirement statement counts can vary depending on the regulatory and organizational factors selected during scoping. For instance, adding PCI-DSS or HIPAA will increase requirement counts across all types. All assessment types also require testing of implementation, since evidence of operational control performance is mandatory for validation. The incorrect option is C: r2 assessments always include all 19 domains, and so do e1 and i1 assessments. What differs is the number of requirement statements in each domain, not the domains themselves.