Ransomware has evolved from an opportunistic cybercrime into one of the most persistent and damaging threats facing organizations today. According to a recent report, the number of ransomware victims increased by 53%-63% over the past two years. As attacks grow in scale, sophistication, and impact, organizations need more than isolated controls or point-in-time assessments. They need defensible, measurable ransomware resilience.

To address this challenge, HITRUST has expanded its Insights Reports portfolio with a dedicated Ransomware Insights Report, aligning HITRUST assessment results to the NIST Cybersecurity Framework v2.0 and the NIST Ransomware Community Profile. This report delivers actionable insight into ransomware readiness using a trusted, validated assurance model.

What are HITRUST Insights Reports?

HITRUST Insights Reports transform existing HITRUST assessment results into mapped, audit-ready reports aligned with leading frameworks and regulatory expectations. Rather than treating compliance and risk reporting as duplicative efforts, Insights Reports allow organizations to extend the value of a single HITRUST assessment across multiple use cases.

These are reporting outcomes of the HITRUST assurance program, designed to help organizations communicate trust, maturity, and alignment more effectively.

Why focus on ransomware resilience now?

Ransomware continues to dominate the global threat landscape, cutting across industries and organizational sizes.

• According to Verizon’s 2025 Data Breach Investigations Report, ransomware was present in 44% of all analyzed data breaches, highlighting how frequently attackers rely on ransomware as a primary attack method.
• Small and mid-sized organizations (SMBs) were disproportionately impacted, with ransomware involved in 88% of breaches affecting SMBs.

The continued prevalence of ransomware across nearly half of all breaches demonstrates that it is no longer a niche or episodic threat, but a core attack technique used by threat actors across industries.

These figures underscore a critical reality: ransomware is not only increasing in frequency, but it is increasingly targeting organizations with fewer resources and lower tolerance for operational disruption, making ransomware resilience and preparedness essential components of modern cybersecurity and risk management programs.

What is the HITRUST Ransomware Insights Report?

The HITRUST Ransomware Insights Report maps validated HITRUST CSF assessment results to the subset of NIST Cybersecurity Framework v2.0 core subcategories prioritized in the Ransomware Community Profile, which outlines cybersecurity outcomes specifically designed to reduce the likelihood and impact of ransomware attacks.

The report provides

• Mapped control alignment between HITRUST CSF requirements and NIST ransomware-related subcategories
• Control maturity evaluations, offering insight into the organization’s ability to counter ransomware threats and deal with the potential consequences of events
• Certified, audit-ready reporting, validated through HITRUST’s quality and assurance processes

This enables organizations to view ransomware resilience through a NIST-aligned lens, without conducting separate assessments or duplicative analyses.

How does HITRUST align with the NIST Ransomware Community Profile?

The NIST Cybersecurity Framework complements existing risk management and cybersecurity programs by providing a consistent structure for identifying, managing, and communicating cybersecurity risk. The Ransomware Community Profile, detailed in NIST IR 8374, builds on this foundation by emphasizing ransomware-specific resilience outcomes.

HITRUST maps its CSF requirements to NIST CSF v2.0 using the NIST OLIR methodology, ensuring traceability, consistency, and rigor. These mappings undergo a multi-stage internal review process, including automated checks, peer review, management review, and quality assurance validation.

The result is a defensible, transparent mapping that organizations can confidently use to demonstrate ransomware readiness to internal and external stakeholders.

What insights does the report deliver?

The Ransomware Insights Report delivers structured, outcome-driven insight into how well an organization is positioned to prevent, withstand, and recover from ransomware events.

At the core of the report is a ransomware scorecard that presents control maturity across prioritized NIST CSF domains, including Govern, Identify, Protect, Detect, Respond, and Recover. These maturity scores reflect the results of independent validation performed during a validated assessment and show how effectively ransomware-related security objectives are implemented and operating in practice.

For example, with the Govern function, the report highlights foundational capabilities that directly influence ransomware resilience, such as

• Organizational context and risk awareness, which ensure ransomware preparedness is aligned to mission-critical services, stakeholder expectations, and regulatory obligations
• Defined roles, responsibilities, and authorities, enabling coordinated and timely action during ransomware incidents
• Risk management integration, ensuring ransomware risk is embedded into enterprise risk management and decision-making processes

The report enables organizations to quickly identify strengths, gaps, and areas for improvement. If control maturity falls below fully compliant, the report provides clear, relevant observations and corrective action considerations, supporting transparent risk discussions and remediation planning.

Ultimately, the insights delivered move beyond checkbox compliance. They provide leadership, risk owners, and security teams with a defensible view of ransomware readiness that can be used to communicate posture, prioritize investments, and demonstrate alignment with recognized ransomware resilience standards.

How can organizations use the Ransomware Insights Report?

Organizations can apply the report across multiple use cases, including

• Board and executive reporting to clearly communicate ransomware readiness
• Third-party and vendor risk management, especially where ransomware exposure is a top concern
• Regulatory and audit support, leveraging NIST-aligned evidence
• Security program improvement, identifying gaps and prioritizing ransomware-related remediation

For organizations already using HITRUST, the report provides a new way to operationalize existing assessment results without added assessment burden.

Conclusion

Ransomware is no longer an isolated risk. It is a defining cybersecurity challenge. Organizations must be able to measure, demonstrate, and improve resilience. The HITRUST Ransomware Insights Report delivers a practical, trusted mechanism to translate complex control environments into meaningful, ransomware-focused insight.

In a landscape where ransomware attacks are increasingly inevitable, measured resilience is what separates disruption from recovery.

AI security risk is escalating faster than organizations can measure it. AI governance frameworks such as ISO/IEC 42001 establish oversight and accountability, but they do not evaluate the security of AI systems. As AI becomes embedded in products, services, and vendor ecosystems, validated AI security assurance offers a stronger, more practical way to measure and reduce real AI risk, where governance alone falls short.

What is the difference between AI governance and AI security?

AI governance defines how AI is managed within an organization. It focuses on policies, decision-making structures, roles, and oversight intended to ensure responsible and compliant AI use.

AI security focuses on how AI systems are protected. It examines whether controls are implemented in deployed systems, whether they are tested, and whether they actually work.

Governance sets expectations. Security assurance validates reality.

Why AI security risk remains largely invisible in TPRM

AI is being deployed at a pace that outstrips traditional risk management models. Vendors are introducing AI capabilities continuously, often without clear visibility into how those systems are secured or monitored.

Most third-party risk programs still rely on indirect signals such as questionnaires and attestations to assess vendor security.

With AI, this approach breaks down. Risk teams are left to infer security posture from narrative evidence, while the actual AI systems remain untested. Because AI security controls are selectively tested and rarely validated, organizations often do not know what protections are actually in place until an incident occurs. This creates a false sense of control, where risk appears managed on paper but remains unmeasured in practice.

Why governance frameworks cannot reduce AI security risk

Governance frameworks are designed to manage behavior, not validate technical outcomes.

They do not

• Prescriptively define AI security controls
• Require testing of deployed AI environments
• Validate control effectiveness through independent assessment
• Provide standardized, comparable evidence of AI security

For instance, ISO/IEC 42001 is a governance framework designed to help organizations establish an AI Management System (AIMS). It provides structure around accountability, documentation, and continuous improvement for AI activities. However, ISO/IEC 42001 does not deeply assess the security of AI systems that are deployed and in use. Controls may be selectively implemented and selectively tested by accredited as well as unaccredited certification bodies, resulting in inconsistent assurance strength.

How AI security assurance delivers stronger risk reduction

AI security assurance focuses on measurable outcomes.

Rather than evaluating intent, it validates whether security controls are implemented, tested, and effective in real AI systems. This provides clear evidence that AI-related threats are being addressed.

Unlike management system audits, effective AI security assurance requires that all applicable controls be tested, using consistent methods and rigor through authorized assessors, so results can be relied upon by regulators, customers, and third-party risk teams.

The HITRUST AI Security Assessment and Certification was built specifically to deliver this level of assurance.

How HITRUST AI compares to ISO/IEC 42001

For a detailed comparison between HITRUST AI Security Assessment and Certification and ISO/IEC 42001, read our recent blog post.

Why HITRUST offers what governance frameworks cannot

HITRUST is the only reliable solution built for AI security assurance. HITRUST AI Security Certification provides organizations with something governance frameworks are not designed to deliver: trusted proof of AI system security.

It is

• Fast, enabling timely response to emerging AI threats
• Focused, targeting real AI security risks in deployed systems
• Affordable, allowing assurance to scale across vendors and internal environments

This makes AI security assurance practical, actionable, and repeatable.

HITRUST also delivers consistent assurance through vetted assessors, prescriptive, threat-driven testing requirements, and centralized quality assurance, reducing the variability and interpretation risk common in governance-based certifications.

What this means for organizations managing AI risk

AI governance establishes expectations. AI security assurance establishes trust.

As AI continues to permeate vendor ecosystems, organizations cannot rely on oversight alone. They must be able to measure security directly and act on verified results.

The organizations that move first will not just respond to AI risk — they will control it.

ISO/IEC 42001 and the HITRUST AI Security Assessment and Certification address AI risk from fundamentally different angles. While ISO/IEC 42001 defines how organizations govern AI, HITRUST provides assurance that AI security controls are implemented and tested, producing evidence-based confidence in the security of deployed AI systems.

Why organizations must focus on AI security now?

AI adoption has accelerated faster than most security and risk programs can adapt. AI risk no longer stops at the enterprise perimeter. It now lives inside the software, platforms, and services organizations buy and rely on every day.

Vendors are racing to introduce AI features and back-office efficiencies, often faster than security teams can assess them. For third-party risk management (TPRM) teams, this creates a critical question: How do we know a vendor’s AI platform is secure?

That question drives direct comparisons between ISO/IEC 42001 and the HITRUST AI Security Assessment and Certification.

What problem does ISO/IEC 42001 solve?

ISO/IEC 42001 demonstrates that an organization has implemented an AI governance and management structure. It shows that policies exist, responsibilities are defined, and AI-related activities are overseen through a formal management system.

For vendor risk programs, this can signal

• Governance maturity
• Executive oversight of AI
• Commitment to responsible AI practices

ISO/IEC 42001 certification is based on whether the AI management system meets the standard’s requirements, but audits are typically risk-based and sample evidence rather than testing every possible control in depth. As a result, some listed controls may never be tested, even in certified environments.

In the market, ISO/IEC 42001 certifications may be issued by either accredited certification bodies (preferred) or non-accredited bodies. Accreditation improves consistency and trust, but buyers may not always be able to easily distinguish the rigor behind different certificates. This creates a market where assurance rigor varies significantly. TPRM teams cannot easily distinguish high-quality audits from low-quality ones.

Overall, ISO/IEC 42001 is not primarily designed as a technical security validation of a deployed AI system; it validates the organization’s AI management systems and governance processes, with security addressed through management-system controls rather than deep system testing. It answers how AI is managed — not how AI is protected.

What problem does HITRUST AI Security Certification solve?

The HITRUST AI Security Assessment and Certification addresses a different and increasingly urgent problem: proving that deployed AI systems are secure.

HITRUST focuses on

• AI-specific security risks in real systems
• Prescriptive controls mapped to threats and tailored to AI deployment scenarios
• Independent testing, centralized quality assurance, and certification

Rather than evaluating governance maturity, HITRUST validates whether security controls are implemented, tested, and effective in operational AI environments. Every applicable HITRUST AI security control must be implemented and tested for certification. There is no selective control adoption or selective testing. This delivers defensible, evidence-based AI security assurance.

How do ISO/IEC 42001 and HITRUST AI compare?

Why governance alone doesn’t reduce AI security risk

Governance maturity does not equal security assurance.

Two organizations may both hold ISO/IEC 42001 certifications while operating AI systems with vastly different security postures. Because the standard is principle-based, security depth depends heavily on interpretation and implementation.

For TPRM teams, this creates

• Inconsistent evidence across vendors
• Heavy reliance on narrative explanations
• Increased effort to interpret and normalize risk

When AI is embedded in third-party products, this lack of standardization leaves material security risk unmeasured.

How HITRUST delivers measurable AI security assurance

HITRUST AI Security Certification was developed through extensive industry collaboration to address this exact gap. It enables scalable trust across vendor ecosystems by providing

• 44 harmonized, AI-specific security controls
• Prescriptive controls mapped to NIST publications, ISO/IEC standards, and OWASP guidance 
• Regular updates to address emerging AI threats
• Explicit mapping between threats and required controls
• Standardized reporting suitable for executives, regulators, and TPRM teams

The outcome is proof that AI systems are protected.

Is ISO/IEC 42001 or HITRUST AI the right choice?

For most organizations, the answer is not one or the other. It is understanding their distinct roles.

• ISO/IEC 42001 helps organizations govern AI responsibly.
• HITRUST AI Security Certification helps organizations prove AI systems are secure.

When AI is operational, customer-facing, or embedded in third-party products, governance alone is not enough.

In our upcoming blog, we’ll explore why this creates a critical blind spot in third-party risk management and why validated AI security assurance is becoming essential for managing AI risk at scale.