HITRUST CSF v11.2.0 Framework FAQs

Will v11.2.0 and v11.1.0 both be in HITRUST MyCSF?

Yes. Both will be accessible in MyCSF.

What’s different between HITRUST CSF v11.2.0 and v11.1.0?

The HITRUST CSF v11.2.0 release contains the following enhancements:

  • Added NIST AI RMF v1.0, ISO/IEC 23894, and ISO 31000 mapping and selectable Compliance factor “Artificial Intelligence Risk Management”
  • Added Ontario Personal Health Information Protection Act mapping and selectable Compliance factor “Ontario Personal Health Information Protection Act”
  • Added Veteran Affairs Directive 6500 mapping and selectable Compliance factor, “Veteran Affairs Directive 6500”
  • Added ISO 27001:2022 mapping and added a selectable Compliance factor, “ISO 27001:2022”
  • Added ISO 27002:2022 mapping and added a selectable Compliance factor, “ISO 27002:2022”
  • Added NY OHIP Moderate-Plus v5 mapping and selectable Compliance factor, “NY OHIP Moderate-plus Security Baselines v5”
    • The existing NY OHIP Moderate-Plus Compliance factor, “NY OHIP Moderate-plus Security Baselines v3.1” will not be selectable as of v11.2.
  • Refreshed 23 NYCRR 500 mapping and selectable Compliance factor, “23 NYCRR 500”
  • Refreshed FTC Red Flags Rule mapping and selectable Compliance factor, “FTC Red Flags Rule”
  • Refreshed NV Title 52 603A mapping and selectable Compliance factor, “NV Title 52 603A”

If an organization is in the process of starting an assessment in v11.1.0, should it re-evaluate and move to v11.2.0?

The reason an organization would move to v11.2.0 would be to take advantage of the enhancements listed above. The CSF Summary of Changes document offers additional details regarding CSF changes. MyCSF subscribers can utilize the preview functionality described in HAA 2023-011 to determine the impact on an existing assessment prior to upgrading to v11.2.0 including a detailed look at the direct changes that will apply to the assessment.

How will this impact existing v11.1.0 assessments in process?

There will be no impact unless an organization and assessor firm determine the modifications to certain requirement statements and illustrative procedures in v11.2.0 are appropriate for the scope and requirements of the assessed entity. Assessments for v11.1.0 can still be generated despite the release of v11.2.0.

Why choose the HITRUST CSF over other frameworks (ISO, NIST, etc.)?

The HITRUST CSF integrates and harmonizes information protection requirements from many authoritative sources – including ISO, NIST, PCI, and HIPAA, and allows tailoring of the requirements by an organization based on specific organizational, system, and compliance risk factors. The level of integration and prescriptiveness provided by the framework, along with the quality and rigor of the HITRUST Assurance Program and supporting HITRUST products and services, make the HITRUST CSF the easy choice for organizations in any industry.

How do I get started adopting the HITRUST CSF framework?

The decision to adopt the HITRUST CSF should be made at the organizational level; after which, the organization should perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. This analysis can be done manually as developed by the organization or can be facilitated by utilizing the HITRUST MyCSF SaaS solution. Once the information protection posture of the organization is understood, a risk management strategy and implementation timeline can be developed and communicated throughout the organization.

How can I obtain a copy of the HITRUST CSF?

The latest version of the HITRUST CSF framework is available for qualified organizations to download for FREE on the HITRUST website. A qualified organization is defined as any organization that employs a function or activity involving information protection, provided that the organization does not offer security and/or privacy products or services. In addition, any federal, state, or local agency or department may be considered a qualified organization.


If you are not sure whether your organization is qualified, please contact sales@hitrustalliance.net or call 855-HITRUST. HITRUST has the right to verify eligibility.


Download the HITRUST CSF v11.2.0 free of charge for qualified organizations.

How is the HITRUST CSF structured?

The CSF’s core structure is based on ISO/IEC 27001 and 27002, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). It incorporates more than 40 other security and privacy-related regulations, standards, and frameworks providing comprehensive and prescriptive coverage. HITRUST has done extensive work to harmonize each of the current authoritative sources while continually evaluating new sources for inclusion. Through the lifecycle of each release, we integrate and normalize relevant requirements and best practices, as needed, while better aligning and eliminating redundant requirements within the framework.


The HITRUST CSF is a framework that normalizes security and privacy requirements for organizations, including federal legislation (e.g., HIPAA), federal agency rules and guidance (e.g., NIST), state legislation (e.g., California Consumer Privacy Act), international regulations (e.g., GDPR), and industry frameworks (e.g., PCI, COBIT). Then, the CSF simplifies this myriad of requirements by providing a single-source solution tailored to the organization’s needs. The CSF is the only framework built to provide scalable security and privacy requirements based on the different risks and exposures of each unique organization


Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of factors including an organization’s type, size, systems, and compliance requirements. There are 156 security and privacy-related control specifications, with associated implementation requirements; of which, 21 specifically address privacy practices.


The HITRUST CSF risk-based approach applies security/privacy resources commensurate with the level of risk by defining multiple levels of implementation requirements – which increase in restrictiveness. Three levels of requirements are defined based on organizational and system risk factors. Level 1 provides the minimum baseline control requirements; each subsequent level encompasses the lower level and includes additional requirements, commensurate with increasing levels of risk. To further tailor the control baseline, the compliance-based approach offered in the HITRUST r2 Assessment allows organizations to incorporate additional regulatory or compliance components that meet the organization’s needs and/or requirements.


As of CSF v11, HITRUST has aligned the selection of requirement statements used for the e1 assessment (HAA-2023-004), i1 assessment, and r2 assessment baseline so that each assessment builds upon the core requirement statements that are included in the e1 assessment.  This nesting of requirement statements allows organizations to begin with the entry-level e1 or moderate-level i1 assessment, and subsequently move through the assessment portfolio to demonstrate increased levels of information protection assurance.

Is the HITRUST CSF an industry standard for healthcare?

The HITRUST CSF is an information protection standard that can be effectively used by organizations across any industry – not just healthcare. The HITRUST CSF provides a consensus-driven standard of due care and due diligence for the protection of information, including electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, and other sensitive information.

Has the HITRUST CSF been adopted internationally?

Yes, organizations outside of the US have implemented the HITRUST CSF. Moreover, additional countries have expressed an interest in HITRUST, and we expect this interest to grow as adoption continues to increase within the US.


For more information, refer to Understanding and Leveraging the CSF webpage.

What is the relationship between the control categories of the HITRUST CSF and the assessment domains in MyCSF?

The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control requirements and group them into logical domains, based on common IT organizational structure. This structure makes performing an assessment more efficient as controls should be well-grouped around typical IT departments.

Chat Now

This is where you can start a live chat with a member of our team