Advisories

HAA 2016-006: Certification to Require All CSF Controls Within 5 Years

Written by HITRUST | Mar 7, 2024 10:01:41 PM

Policy/Program Change Details
HITRUST policy has been to increase the number of control required for CSF certification over time: 45 controls were required in 2009 for the initial release of the HITRUST CSF, and 66 controls are now required for certification against the v8 release. HITRUST has decided to accelerate the process of adding controls required for CSF certification and incorporate all 135 CSF security controls in CSF Categories 0 thru 12 within five (5) years. HITRUST organizations and assessors should plan for significant increases in the number of control requirements assessed for certification in all future releases until such time as all 135 controls are addressed.

Rationale
The level of due diligence required to obtain satisfactory assurances around an entity’s information protection program has changed significantly in recent years and — along with increased use of the HITRUST CSF to support scorecards against external frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, combined HITRUST CSF and AICPA SOC 2 reporting, and cyber-insurance underwriting — HITRUST recently committed to its Board of Directors to integrating all the HITRUST CSF control requirements into the certification process within five (5) years.

Timetable for Implementation
Immediate: This bulletin is to clarify existing policy.