What's Inheritance for Oracle Cloud Infrastructure?

Written by HITRUST | Nov 13, 2025 5:25:28 PM

By Jason Kor, Principal, Third Party Cyber Risk at HITRUST

If you’re using Oracle Cloud Infrastructure (OCI) and working through a HITRUST assessment in MyCSF, inheritance lets you rely on OCI’s existing HITRUST-validated controls instead of re-assessing everything from scratch. In this post, we’ll discuss what inheritance means, how it works in HITRUST MyCSF, and how you can use it to save time and effort on your journey to HITRUST certification.

What is inheritance in HITRUST?

Inheritance is a mechanism that allows one organization to leverage the assessment results of another. In simple terms, if a third party (like a cloud service provider) has already been assessed and certified for certain HITRUST CSF controls, you can “inherit” those controls instead of undergoing separate testing for them. For example, because Oracle Cloud Infrastructure is HITRUST certified, an OCI customer can reuse OCI’s assessment results for relevant cloud security requirements rather than testing those controls independently. This feature is built into MyCSF.

How does it work in MyCSF?

MyCSF is HITRUST’s online platform for managing assessments, and it enables inheritance of control testing results between assessments. The platform allows the control maturity scores of specific requirements to be transferred from a provider’s HITRUST assessment into your own assessment (with the provider’s permission). In practice, this can dramatically reduce your assessment workload.

What are the benefits of using inheritance with OCI?

Relying on OCI’s HITRUST validated controls offers several clear benefits for your organization, including

Significant time and cost savings: By inheriting controls from OCI’s assessment, you avoid performing redundant testing and evidence collection for those controls. This streamlines your certification process, potentially saving hundreds of hours of effort and associated external assessor costs.
Leverage proven security controls: OCI’s controls that have been evaluated against the HITRUST CSF are already proven effective. Inheriting these gives you immediate credit for the strong security measures implemented by OCI. This can even help boost your scores in certain areas, since you’re benefiting from controls that were assessed at higher maturity levels by a trusted provider.

What is the step-by-step process of inheriting OCI's controls in MyCSF?

Below is a step-by-step overview of how to identify, evaluate, and inherit applicable controls from OCI’s validated HITRUST assessment.

Identify available inheritable controls: Start by determining which HITRUST CSF control requirements OCI has already covered for you. Oracle provides a HITRUST Shared Responsibility Matrix (SRM) that clearly shows which controls are fully or partially OCI’s responsibility. Review OCI’s SRM (available through MyCSF, HITRUST website, or Oracle’s compliance resources) to see which requirements are marked as inheritable from OCI. Focus on controls that align with the OCI services you are using.
Evaluate applicability to your assessment scope: For each control that might be inheritable, ensure it applies to your assessment’s scope and your use of OCI. Verify that you are using the OCI service associated with that control and that you meet any conditions for relying on OCI’s implementation.
With the help of your external assessor
- Submit an inheritance request in MyCSF: In the MyCSF portal, create a new inheritance request against Oracle Cloud Infrastructure’s HITRUST assessment. Here, you will select OCI as the “Inheritance Provider” and specify which control requirements you wish to inherit.
- Oracle reviews and approves (or denies) the request: After submission, the OCI compliance team reviews your inheritance request. They compare your requested controls against OCI’s HITRUST assessment and the shared responsibility criteria. In essence, OCI will approve the request if you’re a valid customer and the controls truly fall under OCI’s assessment.
- Apply approved inherited controls: Once OCI approves your request, OCI’s assessment results for those control requirements are inherited into your MyCSF assessment.

Shared responsibilities across HITRUST domains

It’s important to understand that not all HITRUST requirements can be inherited. It depends on what responsibilities OCI assumes versus what remains with you. The concept of shared responsibility in cloud computing comes into play: OCI covers the security of the cloud (the underlying infrastructure), while you’re responsible for security in the cloud (your applications, data, and internal processes). Some domains lend themselves more readily to inheritance based on this split.

Each domain has many requirements, some of which will be inheritable. For detailed control-level inheritability, please refer to the resources shared below. Here is a summary.

Domain	Customer’s Responsibility	OCI’s Responsibility	Inheritability
1. Information Protection Program	You must own and maintain an information protection program aligned with HITRUST. This includes governance, risk, and compliance policies.	OCI provides credentials (ISO, SOC, HITRUST) but does not manage your corporate security program.	Not inheritable
2. Endpoint Protection	You must secure laptops, workstations, and other endpoints used to access OCI. This includes EDR, patching, and MDM. You must also configure OCI Compute and OKE workloads securely.	OCI provisions VMs and clusters securely and maintains platform configurations once set.	Slightly inheritable
3. Portable Media Security	You must control all portable media outside of OCI facilities (USB drives, laptops, external storage).	OCI prevents removable media in its datacenters and securely manages any physical media.	Highly inheritable
4. Mobile Device Security	You must secure mobile devices used to access OCI Console, APIs, or your application. This includes encryption, MDM, and conditional access.	OCI IAM supports MFA and federated SSO for secure mobile login.	Slightly inheritable
5. Wireless Protection	You must secure your corporate wireless infrastructure (Wi-Fi, VPN, remote access).	OCI does not manage your wireless networks; its scope ends at the datacenter. AWS manages any wireless networks inside the datacenters.	Not inheritable
6. Configuration Management	You must configure compartments, IAM policies, secrets in OCI Vault, and tenancy/app settings securely. Misconfigurations remain your responsibility.	OCI maintains baseline configurations for its managed services once provisioned.	Moderately inheritable
7. Vulnerability Management	You must patch your application code, libraries, and containers, and use the OCI Vulnerability Scanning Service for workloads.	OCI patches hypervisor, runtimes, and managed services like Autonomous DB.	Moderately inheritable
8. Network Protection	You must configure VCNs, Security Lists, Network Security Groups, and OCI WAF to enforce least privilege access.	OCI secures backbone networking and provides DDoS protection and segmentation at the platform level.	Moderately inheritable
9. Transmission Protection	You must enforce HTTPS/TLS for app endpoints and secure data exchanges with third parties.	OCI enforces TLS in its backbone and provides OCI Certificates for managed certs.	Moderately inheritable
10. Password Management	You must define and enforce strong credential policies and MFA for your app’s users.	OCI IAM enforces password/MFA policies for tenancy administrators.	Slightly inheritable
11. Access Control	You must design and manage IAM policies, compartments, and application-level authorization (RBAC/ABAC).	OCI provides IAM framework, groups, dynamic groups, and federation capabilities.	Moderately inheritable
12. Audit Logging & Monitoring	You must enable OCI Audit, configure Logging & Monitoring, and analyze logs in a SIEM or Logging Analytics.	OCI automatically generates platform Audit events and exposes native logging streams.	Moderately inheritable
13. Education, Training & Awareness	You must train developers, admins, and users on security responsibilities and cloud best practices.	OCI provides documentation and security guidance, but does not train your workforce.	Not inheritable
14. Third-Party Assurance	You must review OCI compliance reports and manage assurance for your vendors (SaaS, APIs, processors).	OCI provides attestation reports through the Compliance portal.	Not Inheritable
15. Incident Management	You must implement an incident response plan for your applications and tenancy. Subscribe to OCI Service Health notifications.	OCI manages platform-level incidents and posts advisories on the OCI Service Health Dashboard.	Moderately inheritable
16. Business Continuity & Disaster Recovery	You must design for resiliency across regions, perform backups to Object Storage, and test restores.	OCI provides redundant regional services and SLAs for core infrastructure.	Moderately inheritable
17. Risk Management	You must conduct risk assessments, identify threats, and document treatment plans for your applications.	OCI provides a secure platform, but does not perform risk management on your behalf. Notably, some change management requirements appear in those domains, which are handled by OCI where appropriate.	Moderately Inheritable
18. Physical & Environmental Security		OCI fully manages datacenter security, biometrics, HVAC, redundant power, and other physical or environmental controls	Highly inheritable
19. Data Protection & Privacy	You must classify sensitive data, apply retention/ deletion policies, and fulfill privacy obligations (e.g., DSARs).	OCI provides default encryption at rest, Vault for key management, and data residency controls.	Moderately inheritable

Key resources for inheritance guidance

Before and during your use of inheritance, make sure to take advantage of official HITRUST and MyCSF resources that define the rules and best practices.

HITRUST Shared Responsibility Matrix (SRM): This is your roadmap for inheritance. OCI’s HITRUST Shared Responsibility Matrix is available to download from MyCSF or the HITRUST website, and it outlines exactly which controls in each domain are inherited. Treat the SRM as the source of truth on provider vs. customer control ownership. When in doubt about a particular requirement, consult the SRM to see if OCI or the customer is listed as responsible.
HITRUST Assessment Handbook: The HITRUST Assessment Handbook (latest version) provides comprehensive guidance on the assessment process, including the inheritance program. Section 12 of the handbook covers “Reliance on Assessment Results Using Inheritance” and details the requirements for using inheritance properly. It explains, for instance, the need for valid business justification and how inheritance requests must be submitted and approved within the MyCSF workflow.
MyCSF Help: Within the MyCSF platform, you can find help with documentation and tools like the Inheritance Calculator that let you simulate how much effort you’ll save by inheriting certain control.
OCI Compliance Documentation: Oracle Cloud may provide documentation or guides specific to its HITRUST offering. Check OCI’s compliance or security portals for any HITRUST inheritance guides or FAQs.

Getting support: External assessors and consultants

Finally, remember that you don’t have to navigate the HITRUST inheritance process alone. If you have questions or run into confusion, consider reaching out to a HITRUST Approved External Assessor or consultant for guidance. HITRUST maintains a directory of authorized External Assessor organizations. These are firms trained in the HITRUST CSF and assessment process. An experienced assessor can help you identify inheritance opportunities, interpret the SRM, and ensure you apply inherited controls correctly. In fact, if you are pursuing a Validated Assessment, you will need an External Assessor to validate your results, so involving them early can smooth out the process.

Don’t hesitate to use these expert resources. A quick consultation with a HITRUST assessor or a cloud security consultant can clarify doubts about what you can inherit and how to document it. They can also verify that you’re meeting all HITRUST requirements in the areas you don’t inherit (so nothing falls through the cracks).

Conclusion

Inheritance is a powerful feature in HITRUST MyCSF that can make your certification journey far more efficient. By leaning on OCI’s already-certified security controls, you can save time, reduce costs, and focus your energy on the areas that truly require your attention. Just remember that with great power comes responsibility. Always use the HITRUST Shared Responsibility Matrix and official guidance to know exactly what can be inherited versus what remains your duty. When in doubt, consult the experts (HITRUST-approved assessors or seasoned consultants) to ensure you’re on the right track. Leveraging the work of others through inheritance, when done correctly, helps turn HITRUST compliance manageable and collaborative effort. Good luck with your HITRUST assessment, and happy inheriting!

Key Takeaway: Use OCI’s HITRUST certification to your advantage. Inherit what you can, implement what you must, and always refer to HITRUST’s official resources for clarity. And if you need help, the HITRUST assessor community is there to support you in achieving a successful, stress-reduced certification.

View full post