One of the most robust and comprehensive cybersecurity frameworks developed in recent years is the Common Security Framework (CSF), a HITRUST Alliance publication. HITRUST pulls together loose ends from various industry-specific guidelines into one all-inclusive document. The CSF is not required for most businesses, but all companies stand to benefit from adopting its controls and achieving certification.
But how many HITRUST controls are there? And what’s the best way to implement them and secure HITRUST compliance? This article has you covered.
How Many HITRUST Controls Are There?
In total, there are over 150 individual requirements comprising the HITRUST CSF. However, the actual number of HITRUST controls your company needs to implement for compliance and security depends on the applicability of control specifications and other compliance needs.
The 150+ requirements are complicated by the system of tiers (control categories, objectives, etc.). So, in the sections below, we’ll break down everything you need to know about HITRUST controls:
- A detailed breakdown of all the controls and their requirements
- A guide and resources for HITRUST compliance across all controls
By the end of this article, you’ll know how many controls there are, how they work, and what it takes to implement them (and how professional services can help).
Assess your HITRUST compliance
Full Breakdown of the HITRUST CSF Controls
The number of controls HITRUST CSF contains depends on your company’s definition of “control.” At the most basic level, HITRUST comprises 14 “Control Categories,” numbered 0.0 through 0.13. These categories break down into “Objectives,” which number 49 in total. At a more granular level, these Objectives break down further into 156 “References.”
These References are the most practical, which most companies define as “controls.”
Strictly speaking, each Reference also breaks down further into specific requirements, but these vary based on the business. In practice, there are 156 HITRUST CSF controls all companies must implement. But for many companies, it’s easier to conceptualize them as 14 Objectives. Below, we provide a synopsis of each Objective, one Category at a time.
Category 0.0: Information Security Management
There is just one objective, with one corresponding reference, in category 0.0:
- Objective 0.01 – Implement information security management program (one Reference)
Category 0.1: Access Control Security
There are seven objectives, with 25 corresponding references, in category 0.1:
-
- Objective 1.01 – Define business requirements for access control (one Reference)
- Objective 1.02 – Authorize access to information systems (four References)
- Objective 1.03 – Define user roles and responsibilities (three References)
- Objective 1.04 – Control network access (seven References)
- Objective 1.05 – Control operating system access (six References)
- Objective 1.06 – Control application and information access (two References)
- Objective 1.07 – Optimize mobile computing security (two References)
Category 0.2: Human Resources Security
There are four objectives, with nine corresponding references, in category 0.2:
-
- Objective 2.01 – Secure personnel before hiring (two References)
- Objective 2.02 – Secure personnel during onboarding (one Reference)
- Objective 2.03 – Secure personnel during employment (three References)
- Objective 2.04 – Secure personnel through termination (three References)
Category 0.3: Risk Management Policy
There is just one objective, with four corresponding references, in category 0.3:
- Objective 3.01 – Implement risk management program (four References)
Category 0.4: Information Security Policy
There is just one objective, with two corresponding references, in category 0.4:
- Objective 4.01 – Implement information security policy (three References)
Category 0.5: Information Security Organization
There are two objectives, with 11 corresponding references, in category 0.5:
-
- Objective 5.01 – Optimize internal organization (eight References)
- Objective 5.02 – Optimize organization of third parties (three References)
Category 0.6: Regulatory Framework Compliance
There are three objectives, with ten corresponding references, in category 0.6:
-
- Objective 6.01 – Comply with legally mandated requirements (six References)
- Objective 6.02 – Comply with technical and security standards (two References)
- Objective 6.03 – Consider information system audit requirements (two References)
Category 0.7: Asset Management Security
There are two objectives, with five corresponding references, in category 0.7:
-
- Objective 7.01 – Designate inventory responsibilities (three References)
- Objective 7.02 – Optimize classification of information (two References)
Category 0.8: Physical and Environmental Security
There are two objectives, with 13 corresponding references, in category 0.8:
-
- Objective 8.01 – Secure physical areas (six References)
- Objective 8.02 – Secure physical equipment (seven References)
Category 0.9: Communications and Operations Security
There are ten objectives, with 32 corresponding references, in category 0.9:
-
- Objective 9.01 – Document operational procedures (four References)
- Objective 9.02 – Control delivery of third party services (three References)
- Objective 9.03 – Optimize system planning procedures (two References)
- Objective 9.04 – Protect against malicious or mobile code (two References)
- Objective 9.05 – Back up sensitive information regularly (one Reference)
- Objective 9.06 – Manage network security (two References)
- Objective 9.07 – Manage handling of media (four References)
- Objective 9.08 – Secure exchange of information (five References)
- Objective 9.09 – Secure electronic commerce services (three References)
- Objective 9.10 – Monitor systems and log audits (six References)
Category 0.10: Information Systems Management
There are six objectives, with 13 corresponding references, in category 0.10:
-
- Objective 10.01 – Define information system security requirements (one Reference)
- Objective 10.02 – Optimize processing across applications (four References)
- Objective 10.03 – Optimize cryptographic controls (two References)
- Objective 10.04 – Ensure security of system files (three References)
- Objective 10.05 – Secure development and support processes (two References)
- Objective 10.06 – Manage technical vulnerabilities (one Reference)
Category 0.11: Security Incident Management
There are two objectives, with five corresponding references, in category 0.11
-
- Objective 11.01 – Report on security weaknesses and incidents (two References)
- Objective 11.02 – Manage incident response and recovery (three References)
Category 0.12: Business Continuity Management
There is just one objective, with five corresponding references, in category 0.12:
- Objective 12.01 – Integrate security and business continuity (five References)
Category 0.13: Privacy Security Practices
There are seven control objectives, with 21 corresponding references, in category 0.13:
-
- Objective 13.01 – Implement transparency policies (three References)
- Objective 13.02 – Implement participation policies (three References)
- Objective 13.03 – Optimize purpose specifications (two References)
- Objective 13.04 – Minimize the scope of data collection (two References)
- Objective 13.05 – Limit scope of data utilization (two References)
- Objective 13.06 – Optimize data quality and integrity (three References)
- Objective 13.07 – Assure accountability through audits (six References)
Implementation of HITRUST CSF Security Controls
Achieving compliance is about more than understanding and leveraging all 156 controls. It also requires verification of your implementation, whether through self-assessment or external validation by a qualified assessor. The levels or tiers of CSF Assessment include:
- Self-assessment, via questionnaire available through the MyCSF toolkit
- CSF Validation or Certification, facilitated by a qualified CSF Assessor
- HITRUST CSF Bridge Assessment, for companies seeking recertification
RSI Security’s dedicated suite of HITRUST certification and advisory services can help you reach any of these levels of compliance. We’ll work with your internal IT to prepare for self-assessment, then get you certified or verified once you’re ready. We’re a one-stop cybersecurity shop.
Professional Compliance and Security
Here at RSI Security, we know how critical compliance is for businesses of all sizes. We also know that compliance is just one part of the cybersecurity architecture you need to keep your business’s personnel and clientele safe. That’s why we’ve offered robust managed IT and security services for over a decade.
Returning to the question posed above: just how many HITRUST controls are there? There are 156 References distributed across 49 Objectives and represented in 14 Control Categories. Understanding all of these controls is only one step on the road toward compliance — and keeping your stakeholders safe. To take the next step, contact RSI Security today!
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.