By Jason Kor, Principal, Third Party Cyber Risk at HITRUST

If you’re using Oracle Cloud Infrastructure (OCI) and working through a HITRUST assessment in MyCSF, inheritance lets you rely on OCI’s existing HITRUST-validated controls instead of re-assessing everything from scratch. In this post, we’ll discuss what inheritance means, how it works in HITRUST MyCSF, and how you can use it to save time and effort on your journey to HITRUST certification.

What is inheritance in HITRUST?

Inheritance is a mechanism that allows one organization to leverage the assessment results of another. In simple terms, if a third party (like a cloud service provider) has already been assessed and certified for certain HITRUST CSF controls, you can “inherit” those controls instead of undergoing separate testing for them. For example, because Oracle Cloud Infrastructure is HITRUST certified, an OCI customer can reuse OCI’s assessment results for relevant cloud security requirements rather than testing those controls independently. This feature is built into MyCSF.

How does it work in MyCSF?

MyCSF is HITRUST’s online platform for managing assessments, and it enables inheritance of control testing results between assessments. The platform allows the control maturity scores of specific requirements to be transferred from a provider’s HITRUST assessment into your own assessment (with the provider’s permission). In practice, this can dramatically reduce your assessment workload.

What are the benefits of using inheritance with OCI?

Relying on OCI’s HITRUST validated controls offers several clear benefits for your organization, including

• Significant time and cost savings: By inheriting controls from OCI’s assessment, you avoid performing redundant testing and evidence collection for those controls. This streamlines your certification process, potentially saving hundreds of hours of effort and associated external assessor costs.
• Leverage proven security controls: OCI’s controls that have been evaluated against the HITRUST CSF are already proven effective. Inheriting these gives you immediate credit for the strong security measures implemented by OCI. This can even help boost your scores in certain areas, since you’re benefiting from controls that were assessed at higher maturity levels by a trusted provider.

What is the step-by-step process of inheriting OCI's controls in MyCSF? 

• Identify available inheritable controls: Start by determining which HITRUST CSF control requirements OCI has already covered for you. Oracle provides a HITRUST Shared Responsibility Matrix (SRM) that clearly shows which controls are fully or partially OCI’s responsibility. Review OCI’s SRM (available through MyCSF, HITRUST website, or Oracle’s compliance resources) to see which requirements are marked as inheritable from OCI. Focus on controls that align with the OCI services you are using.
• Evaluate applicability to your assessment scope: For each control that might be inheritable, ensure it applies to your assessment’s scope and your use of OCI. Verify that you are using the OCI service associated with that control and that you meet any conditions for relying on OCI’s implementation.
• With the help of your external assessor
  • Submit an inheritance request in MyCSF: In the MyCSF portal, create a new inheritance request against Oracle Cloud Infrastructure’s HITRUST assessment. Here, you will select OCI as the “Inheritance Provider” and specify which control requirements you wish to inherit.
  • Oracle reviews and approves (or denies) the request: After submission, the OCI compliance team reviews your inheritance request. They compare your requested controls against OCI’s HITRUST assessment and the shared responsibility criteria. In essence, OCI will approve the request if you’re a valid customer and the controls truly fall under OCI’s assessment.
  • Apply approved inherited controls: Once OCI approves your request, OCI’s assessment results for those control requirements are inherited into your MyCSF assessment.

Shared responsibilities across HITRUST domains

It’s important to understand that not all HITRUST requirements can be inherited. It depends on what responsibilities OCI assumes versus what remains with you. The concept of shared responsibility in cloud computing comes into play: OCI covers the security of the cloud (the underlying infrastructure), while you’re responsible for security in the cloud (your applications, data, and internal processes). Some domains lend themselves more readily to inheritance based on this split.

Each domain has many requirements, some of which will be inheritable. For detailed control-level inheritability, please refer to the resources shared below. Here is a summary.

Key resources for inheritance guidance

Before and during your use of inheritance, make sure to take advantage of official HITRUST and MyCSF resources that define the rules and best practices.

• HITRUST Shared Responsibility Matrix (SRM): This is your roadmap for inheritance. OCI’s HITRUST Shared Responsibility Matrix is available to download from MyCSF or the HITRUST website, and it outlines exactly which controls in each domain are inherited. Treat the SRM as the source of truth on provider vs. customer control ownership. When in doubt about a particular requirement, consult the SRM to see if OCI or the customer is listed as responsible.
• HITRUST Assessment Handbook: The HITRUST Assessment Handbook (latest version) provides comprehensive guidance on the assessment process, including the inheritance program. Section 12 of the handbook covers “Reliance on Assessment Results Using Inheritance” and details the requirements for using inheritance properly. It explains, for instance, the need for valid business justification and how inheritance requests must be submitted and approved within the MyCSF workflow.
• MyCSF Help: Within the MyCSF platform, you can find help with documentation and tools like the Inheritance Calculator that let you simulate how much effort you’ll save by inheriting certain control.
• OCI Compliance Documentation: Oracle Cloud may provide documentation or guides specific to its HITRUST offering. Check OCI’s compliance or security portals for any HITRUST inheritance guides or FAQs.

Getting support: External assessors and consultants

Finally, remember that you don’t have to navigate the HITRUST inheritance process alone. If you have questions or run into confusion, consider reaching out to a HITRUST Approved External Assessor or consultant for guidance. HITRUST maintains a directory of authorized External Assessor organizations. These are firms trained in the HITRUST CSF and assessment process. An experienced assessor can help you identify inheritance opportunities, interpret the SRM, and ensure you apply inherited controls correctly. In fact, if you are pursuing a Validated Assessment, you will need an External Assessor to validate your results, so involving them early can smooth out the process.

Don’t hesitate to use these expert resources. A quick consultation with a HITRUST assessor or a cloud security consultant can clarify doubts about what you can inherit and how to document it. They can also verify that you’re meeting all HITRUST requirements in the areas you don’t inherit (so nothing falls through the cracks).

Conclusion

Inheritance is a powerful feature in HITRUST MyCSF that can make your certification journey far more efficient. By leaning on OCI’s already-certified security controls, you can save time, reduce costs, and focus your energy on the areas that truly require your attention. Just remember that with great power comes responsibility. Always use the HITRUST Shared Responsibility Matrix and official guidance to know exactly what can be inherited versus what remains your duty. When in doubt, consult the experts (HITRUST-approved assessors or seasoned consultants) to ensure you’re on the right track. Leveraging the work of others through inheritance, when done correctly, helps turn HITRUST compliance manageable and collaborative effort. Good luck with your HITRUST assessment, and happy inheriting!

Key Takeaway: Use OCI’s HITRUST certification to your advantage. Inherit what you can, implement what you must, and always refer to HITRUST’s official resources for clarity. And if you need help, the HITRUST assessor community is there to support you in achieving a successful, stress-reduced certification.

By Sean Dowling, Vice President of Cybersecurity & Compliance, Accorian

In today’s compliance landscape, few things drain more resources than duplicative assessments. Organizations often find themselves juggling multiple frameworks, ISO 27001, HITRUST, SOC 2, and now even emerging AI and privacy standards, each with overlapping requirements but different scoring and evidence rules. I’ve seen this play out across industries: a health tech startup chasing HITRUST certification after ISO 27001, a global enterprise needing both HITRUST and SOC 2 for customer contracts, or a payer network navigating ISO and HITRUST simultaneously for international and U.S. obligations.

The good news is that alignment between frameworks, particularly ISO 27001 and HITRUST, has matured to the point where organizations can meaningfully reduce redundant work. When done right, you’re not just checking boxes twice, you’re building a more integrated, resilient security program.

Why ISO and HITRUST overlap so much

ISO 27001 has long been a well-known standard for global information security, while HITRUST dominates U.S. healthcare, technology, finance, and adjacent industries. Both frameworks require the following.

• Risk-based approaches – ISO through its ISMS (Information Security Management System), HITRUST through control inheritance and scoping.
• Policies, procedures, and evidence of effectiveness – both care less about “paper compliance” and more about demonstrable maturity.
• Technical safeguards and continuous improvement – ISO calls it Annex A, HITRUST maps it to its control categories.

For organizations already having ISO 27001 certifications, at least 60%–70% of the groundwork is directly applicable to HITRUST. HITRUST itself maintains mappings to ISO 27001 and other frameworks within its framework (HITRUST CSF), which allows for “leveraging existing certifications” during assessment.

Where alignment saves effort

At Accorian, we’ve helped clients streamline by focusing on control mapping and evidence rationalization. The big wins typically come in

• Policies and governance: One information security policy aligned to both frameworks beats two near-duplicates.
• Risk assessment methodology: Use the ISO risk treatment plan as the basis for HITRUST inherent risk factors.
• Technical controls: Encryption, access management, logging, and endpoint protection often map one-to-one.
• Continuous monitoring: ISO’s internal audit cadence can serve as input for HITRUST’s interim and recurring review requirements.

Instead of running parallel audit tracks, we build a single control inventory, then annotate where each requirement ties to HITRUST.

Where organizations still struggle

Despite the overlap, there are nuances where an ISO control doesn’t go far enough for HITRUST. Common sticking points we’ve seen include

• Granularity of testing: HITRUST often requires sampled evidence across populations, whereas ISO may accept a point-in-time artifact.
• Healthcare-specific safeguards: HITRUST introduces HIPAA-driven controls that ISO doesn’t cover.
• Maturity scoring: ISO certifies the system, HITRUST grades the maturity of individual controls across policy, process, and implementation.

This is where organizations fall into the trap of re-documenting or scrambling last minute for artifacts. A smart alignment strategy bakes these gaps into the roadmap early.

My advice: Build once, certify many times

• Start with a crosswalk: Build or adopt a mapping between ISO Annex A and HITRUST CSF controls.
• Establish a single evidence repository: Tag each artifact with the frameworks it satisfies.
• Automate where possible: Use compliance platforms (MyCSF, GoRICO (Accorian)) to reduce manual duplication.
• Plan assessment timelines together: Avoid audit fatigue by sequencing ISO surveillance and HITRUST interim reviews.

By reframing compliance as an integrated ecosystem, organizations cut redundant work, reduce assessor hours, and most importantly, strengthen the underlying security program.

How Accorian can assist organizations

This is where Accorian steps in. Our team specializes in helping organizations avoid duplicated effort by

• Framework crosswalks and control mapping: We build tailored ISO-to-HITRUST mappings so you know exactly where evidence overlaps and where unique work is required.
• Evidence management and rationalization: Our assessors consolidate your documentation into a single repository, tagging artifacts for ISO, HITRUST, or CMMC.
• Gap assessments and roadmaps: We identify where ISO compliance falls short of HITRUST’s stricter maturity and specific requirements, and create a phased remediation plan.
• Assessment readiness: By sequencing your ISO surveillance audits and HITRUST assessments, we reduce audit fatigue while maximizing reuse of control testing.
• Technology enablement: Whether leveraging HITRUST MyCSF, Vanta, Drata, or custom Smartsheet trackers, we integrate compliance tooling into your workflow to cut down on manual effort.

With Accorian’s support, clients move away from siloed compliance projects toward an integrated, scalable security program.

Closing thoughts

Framework alignment is more than a cost-savings exercise — it’s a strategy that transforms compliance from a series of isolated projects into a sustainable, business-enabling program. When organizations embrace alignment, something powerful happens

• Compliance shifts from reactive to proactive. Instead of scrambling for artifacts, organizations build a single, living compliance backbone that supports multiple certifications.
• Security maturity accelerates. Aligned frameworks reinforce one another — ISO’s ISMS discipline strengthens HITRUST’s maturity scoring, while HITRUST’s safeguards raise the bar for ISO environments.
• Stakeholder confidence grows. Customers, partners, and regulators recognize that your organization is demonstrating resilience across multiple requirements.

At Accorian, we’ve seen that the real payoff of ISO–HITRUST alignment isn’t just fewer hours of duplicated effort — it’s a stronger security culture, better risk visibility, and the agility to expand into future certifications like AI security certification without starting from scratch.

The reality is that compliance demands will only continue to multiply. Organizations that continue to chase frameworks one by one will burn time, money, and talent. Those that align, however, will future-proof themselves, turning compliance from a burden into a strategic differentiator.

My message is simple: do the work once, do it right, and let it count everywhere.

Talk to Accorian today about how our HITRUST approach can help you save time, reduce audit fatigue, and strengthen your security posture.

By Sean Dowling, VP & Head of HITRUST, vCISO and Federal Services at Accorian

The security of your organization is only as strong as the weakest vendor in your supply chain. I've worked with dozens of companies that had solid internal security programs, only to watch their risk posture unravel due to a partner, supplier, or SaaS provider who lacked even basic controls. This isn’t rare. It’s a pattern. And it underscores a critical truth: Third-Party Risk Management (TPRM) is no longer a compliance add-on. It’s a business imperative.

The new reality: Risk is external by default

Organizations are increasingly dependent on external vendors for core operations, such as cloud services, billing platforms, development partners, and more. While this creates efficiencies and innovation, it also significantly broadens the attack surface. Recent breaches across sectors have made one thing clear: adversaries don’t need to breach your perimeter if they can exploit your ecosystem.

What’s more, regulatory expectations are evolving just as rapidly. Frameworks like HITRUST now require demonstrable vendor risk management processes. Beyond compliance, customers, investors, and insurers are also demanding assurance that third-party risk is being proactively managed.

Common gaps we see in TPRM programs

Many organizations struggle to implement a TPRM program that is both scalable and effective. Common issues include

• Over-reliance on static questionnaires that vendors can complete without validation
• Lack of tiering — treating all vendors the same regardless of their access or criticality
• Infrequent reassessment, leading to outdated risk profiles
• No integration between vendor risk and broader enterprise risk management or security operations
• Limited accountability, where no one owns vendor remediation or monitoring

These weaknesses can lead to audit findings, lost certifications, data breaches, or failed compliance programs.

How Accorian helps build and sustain effective TPRM programs

At Accorian, we approach TPRM as both a compliance requirement and a core risk discipline. We help organizations build TPRM programs that are right-sized, standards-aligned, and operationally sustainable. Here’s how we do it.

TPRM program design and framework development

We design and document the entire TPRM lifecycle tailored to your organization’s size, sector, and compliance obligations. This includes policies, procedures, workflows, roles/responsibilities, and escalation paths.

Vendor inventory and risk tiering

We work with you to develop a centralized vendor inventory and apply a tiering model based on each vendor’s access to data, systems, or business processes. This ensures high-risk vendors get the scrutiny they deserve.

Assessment tools and evidence validation

Our team helps you select or build effective assessment methods and assist with control validation, documentation review, and penetration testing. We don’t just rely on checkboxes. We help validate that what vendors say matches what they actually do.

Integration with compliance programs

We align your TPRM program with the HITRUST framework. This helps satisfy overlapping requirements efficiently and ensures your TPRM efforts directly support your audit-readiness.

Automation and technology enablement

If desired, we help select and implement vendor risk platforms or integrate TPRM into existing GRC tools. We ensure the processes are technology-enabled, not technology-driven, so they remain practical and user-friendly.

Ongoing monitoring and vCISO support

Through our vCISO services, we provide ongoing vendor monitoring, reassessment scheduling, contract language reviews, and support for vendor incidents or escalations. We act as an extension of your security leadership team to keep your TPRM program active and accountable.

How HITRUST strengthens TPRM

One of the biggest challenges in third-party risk management is not just trust — but trust backed by validation. This is where HITRUST comes in. The HITRUST framework provides a common, certifiable standard that vendors can use to demonstrate their security and compliance posture. For organizations managing dozens or even hundreds of vendors, HITRUST assessments dramatically reduce the guesswork and overhead of vendor due diligence.

Benefits of leveraging HITRUST for TPRM include

Consistency

Vendors are measured against the same control framework, eliminating the variability of one-off questionnaires.

Assurance through validation

HITRUST certifications are independently validated, giving you higher confidence that controls are in place and operating effectively.

Efficiency

Accepting HITRUST reports in lieu of custom assessments reduces the time and resources required to evaluate vendors.

Alignment with regulations

Because HITRUST maps to HIPAA, NIST, ISO, PCI, and other standards, vendor certifications help meet multiple compliance obligations at once.

Risk reduction

Using HITRUST as a benchmark helps you quickly identify vendors with weak or missing controls, so you can prioritize remediation or make better sourcing decisions.

Tiering

HITRUST offers different assessment options suited for different vendors based on their sizes, risk profiles, and business needs.

In short, HITRUST provides a scalable, standards-based foundation for building trust across your vendor ecosystem. When embedded into your TPRM program, it enables organizations to move beyond box-checking exercises and toward real, evidence-based assurance.

Final thought: TPRM is the new frontline

A strong internal security posture is not enough. Without a mature TPRM program, you are leaving the door wide open to risks that are out of your direct control, but not out of your responsibility.

If your organization is unsure where to begin, has stalled progress, or is facing audit pressure, Accorian can help you build a program that not only satisfies compliance but also protects your business with the HITRUST approach. TPRM is a journey, and we help you navigate it every step of the way.