The Certified CSF Practitioner Course includes in-depth instruction on risk management practices, and how to implement the CSF and utilize the methodology to perform assessments and validate compliance. The curriculum is supported by case studies, hands-on learning and real-world application of the knowledge learned.

This course is delivered in three components: (1) online pre-work via the HITRUST Academy learning management system, (2) classroom instruction in the HITRUST Training Center in Frisco, Texas, and (3) online Practitioner exam.

Online Topics

  • Overview of key players and how they interconnect
  • Analysis and discussion of trends within industry relating to privacy and security (e.g., challenges and constraints, top concerns and initiatives)
  • Overview of the regulatory landscape that affects organizations (e.g., compliance agencies, standards, regulations)
  • Review of market dynamics and the challenges facing industry
  • Introduction to HITRUST and the CSF
  • Discussion of risk management and its relation to the CSF
  • Review of the CSF Assurance Program

Classroom Topics

  • Thorough review of the structure of the CSF, including the control categories, objectives, and control references, multiple levels of implementation requirements, risk factors and authoritative sources cross referenced
  • Detailed explanation of MyCSF, including a review of each component and case studies with hands-on use of each component
  • Overview of the CSF Assurance Programs as a means of managing and communicating security internally and with third parties (e.g., business partners, customers, vendors)
  • Introduction to the tools and methodology for utilizing the CSF
  • Discussion of best practices for adoption and performing an assessment
  • Explanation of the differences between CSF Validated and CSF Certified assessments and their value to an organization
  • A review of the requirements for CSF certification

Course Materials

Students must bring a laptop with them to class. To properly access and utilize the course materials and tools used in the course, laptops must be equipped with Edge, Chrome, or Firefox, and Adobe Reader.

Intended Audience

The course is required for individuals working as part of a HITRUST Authorized External Assessor organization who wish to provide HITRUST and CSF-related services. It is also for those organizations that plan to leverage the framework and process internally.


The cost for the Certified CSF Practitioner Course is $3,000. The Practitioner Exam is included in the course price provided it is completed within 2 weeks following the session attended. After that time, an individual who has attended the class may take the exam no later than 90 days after their class end date for a $500 fee.


To enroll in the course each individual must have an account on the HITRUST Academy. Seats are available on a first come, first serve basis and guaranteed only when payment in full has been received.


Approximately 20 days before the class start date, enrolled students are given access to the online pre-work module (takes 1-3 hours to complete). The pre-work must be complete prior to arriving for the classroom component. Experience in IT compliance or audit is helpful.


Attendees must pass the Practitioner Exam to become a Certified CSF Practitioner (CCSFP). The CCSFP certification is valid subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.

Continuing Professional Education Credit

Participants who complete the Certified CSF Practitioner Course and pass the Exam are eligible for 27 hours to be applied toward continuing professional education (CPE) credit. Certificates will include the CPE hours and are available on an individual’s HITRUST Academy account.

Payment and Change Policies

Detailed information regarding payment, cancellations, refunds, transfers, substitutions, or exam retakes is available here.

Travel Information

For flight arrangement purposes, class starts at 8:30 AM Central. Participants should plan to leave the Training facility no earlier than 12:00 PM on the last day of class. Additional travel and classroom-related information is available here.

For more information on this or other HITRUST Academy courses, please email or call 855.HITRUST.