Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further.
The biggest difference between the two certifications is what they intend to certify.
In the case of ISO 27001, the focus of the certification is on the information security management system (ISMS), which includes an evaluation of the information security risk assessment and treatment processes. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce a “Statement of Applicability that contains the necessary controls (see 6.1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO certification assessors also have some latitude in how they assess the effectiveness of the controls, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.
In effect, we’re left with the same problems that existed before the creation and implementation of the HITRUST CSF—which is actually structured on ISO 27001 and contains additional guidance from ISO 27002 and multiple other relevant authoritative sources such as HIPAA, NIST SP 800-53, CMS IS ARS, PCI DSS and the NIST Cybersecurity Framework—and its assessment through the HITRUST CSF Assurance Program: a lack of comprehensiveness and prescription in the control requirements; little or no U.S. healthcare industry context; lack of comprehensiveness related to regulations, legislation and other relevant requirements such as leading practice frameworks; and uncertain rigor and approach to the assessments including limited quality control.
The HITRUST CSF on the other hand provides a minimal baseline of comprehensive, prescriptive control requirements tailored to a healthcare organization’s specific organizational, system and regulatory risk factors. And the specific focus of HITRUST Certification is on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. HITRUST also provides detailed assessment procedures for each control requirement, and ensures assessments are performed by trained, qualified assessor organizations and requires each assessment undergo a quality assurance review to ensure accuracy and completeness before awarding certification.
As an example of how high-level control requirements can benefit from the context, comprehensiveness and rigor of the HITRUST CSF and CSF Assurance Program, one only has to look at the ongoing joint initiative between AICPA and HITRUST on using the HITRUST CSF to support SOC 2 assessments against the Trust Principles and Criteria. This ensures a standardized set of healthcare-relevant control requirements are identified for each criterion, and the assessment of these controls are conducted with a specific approach and level of rigor that provides relying entities, including regulators and other third parties, with accurate, consistent and repeatable assurances.
The best treatment on why one would choose the HITRUST CSF over ISO can be found in the risk framework analysis presented by HCSC and Children’s Health Dallas Selecting a Healthcare Information Security Risk Management Framework in a Cyber World. For more information on the HITRUST RMF, refer to the HITRUST RMF Whitepaper.