hitrust logo


What is HITRUST?

The HITRUST Common Security Framework (HITRUST CSF) is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The HITRUST Alliance is a not-for-profit organization, founded in 2007, âborn out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.â HITRUST also leads many efforts in awareness, education, and advocacy related to information protection. In addition, HITRUST's framework has since been developed to be non-industry specific.

The HITRUST CSF consists of 14 Control Categories (see below), 19 Domains, 49 Control Objectives, 156 Control References, and 3 Implementation Levels. The HITRUST CSF was built on the primary principles of ISO 27001/27002 and has evolved to align with a wide range of regulations, standards, and business requirements. These include HIPAA, PCI-DSS, NIST 800-53, NIST Cybersecurity Framework, COBIT, GDPR, and more.

HITRUST CSF Control Categories

  • Information Security Management Program
  • Access Control
  • Human Resources Security
  • Risk Management
  • Security Policy
  • Organization of Information Security
  • Compliance
  • Asset Management
  • Physical and Environmental Security
  • Communications and Operations Management
  • Information Systems Acquisition, Development and Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Privacy Practices


  • You have a customer requiring HITRUST compliance
  • You're looking to improve your overall security posture through a recognized, reputable and certifiable framework
  • You're looking to establish governance over your risk management and information security programs
  • You're looking to differentiate your organization through adoption of an efficient, flexible and scalable standard
    • Harmonizes and maps existing controls and requirements from standards, regulations, business, and third-party requirements, including:
    • HIPAA, NIST 800-53, PCI-DSS, ISO 27001/2, COBIT, GDPR, etc.
    • Scales controls based on the size, type, and complexity of your organization
    • Is non-industry specific
  • The HITRUST CSF Assurance Program enables trust in information protection through an efficient and manageable approach
    • The comprehensiveness of the requirement statements for the assessed entity is based on multiple levels within the HITRUST CSF as determined by defined risk factors

View our additional IT Audit and Compliance services and capabilities

Cybersecurity Resources

Case Studies

Our Thoughts On

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222

p: 412.261.3644     f: 412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215

p: 614.621.4060     f: 614.621.4062

Map of DC Office
Washington, D.C.

1660 International Drive
McLean, VA 22102