Companies looking to expand their horizons in an increasingly mobile business environment are likely to face shifting, overlapping, and even conflicting compliance needs. The goal of “mapping frameworks” (or optimizing practices to satisfy multiple frameworks’ controls) minimizes inefficiencies while meeting all security requirements.
Read on to learn how you can get started with HITRUST to ISO 27001 mapping, shifting from one health-adjacent framework to a more generalized one.
HITRUST and ISO 27001—Mapping the Two
Companies operating in the healthcare industry and companies who want to form strategic partnerships with healthcare companies must follow HITRUST and ISO cybersecurity protocols. Compliance with just one may not be enough for all contractual needs. Mapping the security controls will ensure compliance across both.
This guide will break down everything you need to know about ISO and HITRUST mapping, including:
- An in-depth look at the HITRUST CSF and breakdown of its required controls
- An in-depth look at ISO/IEC 27001 framework and analysis of its controls
- A comparative look at both frameworks and matrix mapping relevant controls
By the time you finish this blog, you’ll be well prepared to implement controls across one or both these frameworks and also map controls between the two. We’ll also provide resources to help.
HITRUST CSF Overview and Purpose
The HITRUST Common Security Framework (CSF) is a publication of the HITRUST Alliance. HITRUST was once focused primarily on the healthcare industry, but it has since branched out to provide security guidance applicable across various business types.
The CSF is based loosely upon ISO 27001 and a few other regulatory frameworks, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The CSF streamlines many controls across these and other frameworks to facilitate comprehensive adoption and mapping across them. It’s highly flexible and scalable to the individual needs of any particular company.
Breakdown of HITRUST CSF Controls
The HITRUST CSF comprises 14 “Control Categories,” which break down into 19 Domains and 49 “Control Objectives,” which break down into 156 “Control References.” The full breakdown of controls/References by Category are as follows:
- Category 0.0: Information Management – One Objective and one Reference
- Category 0.1: Access Control Security – Seven Objectives and 32 References
- Category 0.2: Human Resources Security – Four Objectives and nine References
- Category 0.3: Risk Management Policy – One Objective and four References
- Category 0.4: Information Security Policy – One Objective and two References
- Category 0.5: Information Organization – Two Objectives and 11 References
- Category 0.6: Regulatory Compliance – Three Objectives and 10 References
- Category 0.7: Asset Management Security – Two Objectives and five References
- Category 0.8: Physical/Environmental Security – Two Objectives and 13 References
- Category 0.9: Communications and Operations – 10 Objectives and 32 References
- Category 0.10: Information System Management – Six Objectives and 13 References
- Category 0.11: Security Incident Management – Two Objectives and five References
- Category 0.12: Business Continuity Security – One Objective and five References
- Category 0.13: Privacy/Security Practices – Seven Objectives and 21 References
Implementation of all 156 HITRUST References or controls ensures compliance and security in several institutional contexts well beyond the CSF’s original focus on healthcare providers.
ISO/IEC 27001 Overview and Purpose
The ISO 27001 exists to standardize practices for overall information security management. It’s a joint publication of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). It was first published in 2003, and it received its first major (and still current) update in 2013. Often, the 27001 framework is referred to as “27001:2013.”
As the source text for HITRUST and many other compliance frameworks, ISO 27001 bears a striking resemblance in its focus and even the names of its domains. However, it is unique from other frameworks in that it is not concerned exclusively with cybersecurity controls. Because it functions as a baseline suggestion, mapping can be flexible but complex.
Breakdown of ISO 27001 Controls
The ISO 27001 details all of its controls in the lengthy “Annex” list at the end of the document. Like HITRUST, there are 14 categories or domains. Some are unified, whereas others break down further into sections. In total, they house 114 total controls, breaking down as follows:
- Annex A.5: Information Security Policy – Two controls in just one section
- Annex A.6: Information Organization – Seven total controls across two sections
- Annex A.7: Human Resource Security – Six total controls across three sections
- Annex A.8: Secure Asset Management – 10 total controls across three sections
- Annex A.9: Access Control Security – 14 total controls across four sections
- Annex A.10: Cryptographic Security – Two controls in just one section
- Annex A.11: Environmental Security – 15 total controls across two sections
- Annex A.12: Operational Security – 14 total controls across seven sections
- Annex A.13: Communications Security – Seven total controls across two sections
- Annex A.14: Acquisition/Development – 13 controls in just one section
- Annex A.15: Relationships with Suppliers – Five total controls across two sections
- Annex A.16: Information Incident Management – Seven controls in just one section
- Annex A.17: Continuity Management – Four total controls across two sections
- Annex A.18: Regulatory Framework Compliance – Eight controls in just one section
With more general coverage than HITRUST and added flexibility, implementing ISO 27001 controls is less about following a strict set of rules than taking a group of suggestions.
HITRUST to ISO 27001 Mapping Overview
To map across these and other regulatory compliance frameworks, RSI Security’s compliance advisory services can help your company keep track of all requirements proactively. Minimize redundancy and take advantage of all available efficiencies across systems with expert help.
Our HITRUST services include mapping to other common regulatory frameworks, such as various National Institute for Standards and Technology (NIST) guidelines. Map to the CSF for general security or the NIST SP 800-171 to qualify for lucrative contracts with the US Department of Defense (DOD). Our specialists facilitate HITRUST NIST mapping and more.
Breakdown of Select Control Mapping
Mapping across any two frameworks is complex. This is especially relevant when mapping from one derivative framework to its “source” framework. The three HITRUST Categories with the most controls offer distinct insights into what mapping the whole CSF onto ISO looks like:
- Many of the HITRUST Category 0.9 controls map to ISO 27001 Annexes A.8, A.10, A.12, A.13, and A.14 — a wide ISO spread for the largest HITRUST Category.
- Most of the HITRUST Category 0.1 controls map directly onto ISO 27001 Annex A.9 (also named after access control), while others spread across A.6, A.7, and A.8.
- Very few of the HITRUST Category 0.13 controls correspond to any individual controls or Annexes within the ISO 27001 framework, making mapping them irrelevant.
Taken together, these Categories’ 78 References comprise half of the 156 HITRUST controls, which means that navigating this challenging portion of the overall map is half the battle.
Professional Compliance and Cybersecurity
As established just above, HITRUST to ISO 27001 mapping can be incredibly challenging even though one framework is based on the other, and both offer plenty of flexibility. Many companies facing these challenges find that working with a managed security services provider like RSI Security is the easiest way to meet all requirements. Contact us today to see just how powerful your compliance and overall cybersecurity infrastructure can become.
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.