HITRUST’s objective in creating the HITRUST CSF was two-fold
- Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements
- Establish a common, certifiable framework to reduce costs and inefficiencies.
The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:
- Organizational: size and complexity of operations
- System: technology environment characteristics
- Regulatory: applicable compliance requirements
As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001:2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.
It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining HITRUST CSF certification, including:
- Developing an overall certification project plan
- Scoping your HITRUST CSF assessment
- Understanding potential certification challenges and success factors
- Selecting the right report deliverable