By understanding how HITRUST CSF controls address specific threats to personal data and other sensitive information, an organization can demonstrate the results of the risk analyses used by the underlying control frameworks in the HITRUST CSF, e.g., ISO 27002, NIST SP 800-53, and PCI-DSS, as well as support other types of risk analyses. For example, organizations will be able to support further tailoring of the HITRUST CSF control baseline generated from its organizational, system and regulatory risk factors by (1) addressing any additional or unique threats or vulnerabilities it may have, which may not be addressed by a HITRUST CSF control requirement in the HITRUST Threat Catalogue, (2) supporting the appropriate and allowable selection of alternative or compensating controls that are not contained in the HITRUST CSF, and/or (3) the removal or relaxation of specific control requirements in its baseline to help ensure the most cost-effective, risk-based application of the HITRUST CSF to its business and clinical environment.

ISO/IEC 27002:2013, available at
NIST SP 800-53 r4, available at


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment