One Framework, One Assessment, Globally.

The foundation of all HITRUST programs and services is the HITRUST CSF, a certifiable framework that provides organizations a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management.

The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources that organizations globally need to be certain of their data protection compliance. The initial development of the HITRUST CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks – including ISO, NIST, PCI, HIPAA, and GDPR – to ensure a comprehensive set of security and privacy controls. HITRUST continually incorporates additional authoritative sources as they are released and accepted in industry and global sectors. The HITRUST CSF standardizes these requirements across authoritative sources to provide clarity and consistency and reduce the burden of compliance.

The commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new security and privacy regulations and risks are introduced.

For more on understanding and leveraging the HITRUST CSF, click here.

Download the HITRUST CSF v11.2.0 free of charge.

The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources that organizations globally need to be certain of their data protection compliance. The initial development of the HITRUST CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and GDPR–to ensure a comprehensive set of security and privacy controls, and continually incorporates additional authoritative sources. The HITRUST CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.

The commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new security and privacy regulations and risks are introduced.

For more on understanding and leveraging the HITRUST CSF, click here.

To keep the CSF relevant and up to date, v11.2.0 leverages the speed, accuracy, and efficiency of the AI-supported toolkit in the v11 framework to refresh three authoritative sources and add six new ones, most notably the addition of mappings to NIST AI RMF v1.0 and ISO/IEC 23894 and ISO 31000.

  • Added NIST AI RMF v1.0, ISO/IEC 23894, and ISO 31000 mapping and selectable Compliance factor “Artificial Intelligence Risk Management”
  • Added Ontario Personal Health Information Protection Act mapping and selectable Compliance factor “Ontario Personal Health Information Protection Act”
  • Added Veteran Affairs Directive 6500 mapping and selectable Compliance factor, “Veteran Affairs Directive 6500”
  • Added ISO 27001:2022 mapping and added a selectable Compliance factor, “ISO 27001:2022”
  • Added ISO 27002:2022 mapping and added a selectable Compliance factor, “ISO 27002:2022”
  • Added NY OHIP Moderate-Plus v5 mapping and selectable Compliance factor, “NY OHIP Moderate-plus Security Baselines v5”
    • The existing NY OHIP Moderate-Plus Compliance factor, “NY OHIP Moderate-plus Security Baselines v3.1” will not be selectable as of v11.2.
  • Refreshed 23 NYCRR 500 mapping and selectable Compliance factor, “23 NYCRR 500”
  • Refreshed FTC Red Flags Rule mapping and selectable Compliance factor, “FTC Red Flags Rule”
  • Refreshed NV Title 52 603A mapping and selectable Compliance factor, “NV Title 52 603A”

FAQ

Will v11.2.0 and v11.1.0 both be in HITRUST MyCSF?

Yes. Both will be accessible in MyCSF.

What’s different between HITRUST CSF v11.2.0 and v11.1.0?

The HITRUST CSF v11.2.0 release contains the following enhancements:

  • Added NIST AI RMF v1.0, ISO/IEC 23894, and ISO 31000 mapping and selectable Compliance factor “Artificial Intelligence Risk Management”
  • Added Ontario Personal Health Information Protection Act mapping and selectable Compliance factor “Ontario Personal Health Information Protection Act”
  • Added Veteran Affairs Directive 6500 mapping and selectable Compliance factor, “Veteran Affairs Directive 6500”
  • Added ISO 27001:2022 mapping and added a selectable Compliance factor, “ISO 27001:2022”
  • Added ISO 27002:2022 mapping and added a selectable Compliance factor, “ISO 27002:2022”
  • Added NY OHIP Moderate-Plus v5 mapping and selectable Compliance factor, “NY OHIP Moderate-plus Security Baselines v5”
    • The existing NY OHIP Moderate-Plus Compliance factor, “NY OHIP Moderate-plus Security Baselines v3.1” will not be selectable as of v11.2.
  • Refreshed 23 NYCRR 500 mapping and selectable Compliance factor, “23 NYCRR 500”
  • Refreshed FTC Red Flags Rule mapping and selectable Compliance factor, “FTC Red Flags Rule”
  • Refreshed NV Title 52 603A mapping and selectable Compliance factor, “NV Title 52 603A”

If an organization is in the process of starting an assessment in v11.1.0, should it re-evaluate and move to v11.2.0?

The reason an organization would move to v11.2.0 would be to take advantage of the enhancements listed above. The CSF Summary of Changes document offers additional details regarding CSF changes. MyCSF subscribers can utilize the preview functionality described in HAA 2023-011 to determine the impact on an existing assessment prior to upgrading to v11.2.0 including a detailed look at the direct changes that will apply to the assessment.

How will this impact existing v11.1.0 assessments in process?

There will be no impact unless an organization and assessor firm determine the modifications to certain requirement statements and illustrative procedures in v11.2.0 are appropriate for the scope and requirements of the assessed entity. Assessments for v11.1.0 can still be generated despite the release of v11.2.0.

Why choose the HITRUST CSF over other frameworks (ISO, NIST, etc.)?

The HITRUST CSF integrates and harmonizes information protection requirements from many authoritative sources – including ISO, NIST, PCI, and HIPAA, and allows tailoring of the requirements by an organization based on specific organizational, system, and compliance risk factors. The level of integration and prescriptiveness provided by the framework, along with the quality and rigor of the HITRUST Assurance Program and supporting HITRUST products and services, make the HITRUST CSF the easy choice for organizations in any industry.

View Relevant Resources

 

Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. For eligible organizations, the HITRUST CSF is available to download free of charge.

DOWNLOAD TODAY

Chat Now

This is where you can start a live chat with a member of our team