The CSF is a risk-based framework. To understand why, one must understand the intent of selecting and implementing any specified set of controls, whether it’s a custom set developed from a traditional risk analysis or one tailored from a pre-defined control baseline developed from such a risk analysis (e.g., ISO/IEC 27001 or NIST SP 800- 53, both of which HITRUST leverages in the CSF). Regardless of the method used, an organization must implement all the selected controls to manage risk at a level deemed acceptable by its leadership. Failure to fully implement all the specified controls necessarily results in excessive residual risk, which then implies that an organization would take a compliance-oriented approach to implementing and maintaining the selected controls, which were of course selected based on an analysis of risk.
For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure.