The HITRUST CSF’s core structure is based on ISO/IEC 27001:2005 and 27002:2005, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and incorporates more than 40 other security and privacy related regulations, standards, and frameworks providing comprehensive and prescriptive coverage.
Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of factors including organization type, size, systems, and regulatory requirements.
HITRUST CSF’s risk-based approach applies security/privacy resources commensurate with level of risk, or as required by applicable regulations or standards, by defining multiple levels of implementation requirements–which increase in restrictiveness. Three levels of requirements are defined based on organizational, regulatory, or system risk factors. Level 1 provides the minimum baseline control requirements; each subsequent level encompasses the lower level and includes additional requirements, commensurate with increasing levels of risk.
The HITRUST CSF is structured along the lines of ISO 27001:2005 with the 11 control clauses (or categories); however, adds an additional control category to address implementation of an Information Security Management Program, similar to that of the ISMS of ISO 27001:2005, and another category to address risk management. HITRUST has also incorporated a 14th control category to address specific privacy practices, such as GDPR, that are otherwise not addressed in the previous 13 categories.
There are 156 security and privacy-related control specifications, with associated implementation requirements; of which, 21 specifically address privacy practices.