SRM banner image

Accelerate your HITRUST Journey through Inheritance

The HITRUST Shared Responsibility and Inheritance Program streamlines the HITRUST certification journey and makes it easier and quicker to achieve security certification.

With this program, organizations now can reuse previously certified controls. They can inherit information protection controls from internal shared IT services and external third-party organizations, including vendors and Cloud Service Providers (CSPs).

Major CSPs like Amazon, Google, and Microsoft already are HITRUST certified. This makes it easier for organizations to achieve their certifications as they benefit from already certified controls from their CSPs.

Benefits of the HITRUST Shared Responsibility and Inheritance Program


A simple, standardized structure that clearly defines who owns the different cloud security controls to avoid confusion


Widely adopted, accessible, and transparent program to efficiently inherit existing control assessment data

Efficient risk management

Seamless communication between organizations and CSPs/vendors to coordinate and share controls equitably

Time and cost saving

Inheritance from prior HITRUST assessments to cut redundancy and save time and money on the certification journey

Learn more about the HITRUST Shared Responsibility and Inheritance Program

Did you know organizations can inherit up to 85% of requirements in a HITRUST assessment from participating CSPs?

HITRUST Shared Responsibility Matrix

The HITRUST Shared Responsibility Matrix (SRM) is a free, easy-to-use baseline template that pre-populates shared responsibility and controls inheritability in shared cloud environments. Leading CSPs and their relying customers widely adopt the HITRUST SRM.

The HITRUST SRM is built on the HITRUST CSF. It simplifies and clarifies the practical application of control sharing and is available in tailored CSP-specific versions, too.

HITRUST Control Inheritance

When performing HITRUST Assessments, Inheritance enables the use of prior HITRUST Validated or Certified Assessment results along with reliance on sharing cloud controls. It extracts control data like statements and results from previous assessments and places them into the new assessment. This is done through MyCSF, HITRUST’s SaaS tool used to perform controls assessments against the HITRUST CSF.

HITRUST supports two types of Inheritance.

Internal Inheritance

Organizations can inherit and repurpose their past control assessment results and scores.

External Inheritance

Organizations can import control assessment results and scores from assessments belonging to their hosting, cloud, or other service providers.

View Relevant Resources

Chat Now

This is where you can start a live chat with a member of our team