Organizations seeking streamlined solutions to their regulatory compliance requirements often look to comprehensive frameworks. The HITRUST CSF, the National Institute for Standards and Technology’s Special Publication 800-53 (NIST SP 800-53), and the International Organization for Standardization and International Electrotechnical Commission’s joint ISO/IEC 27001 are three prime examples of one-size-fits-all compliance. But which is best for your organization?
Why HITRUST CSF is Better Than NIST SP 800-53 and ISO/IEC 27001
Not all omnibus frameworks are created equally; HITRUST CSF is the best choice for most organizations, especially in the US. The sections below will break down why by providing:
- An overview of the HITRUST CSF and its benefits of robust scalability and flexibility
- An overview of NIST SP 800-53 and its relative regulatory shortcomings vs. the CSF
- An overview of the ISO/IEC 20071 and complications making it suboptimal in the US
With comprehensive compliance advisory services, you further streamline your decisions and implementation with respect to all legally or otherwise required regulatory compliance.
Benefits of Robust, Streamlined HITRUST CSF Implementation
The HITRUST CSF is the flagship cybersecurity framework overseen by the HITRUST Alliance. Initially designed for healthcare security, it has developed into a comprehensive solution with built-in mapping infrastructure designed to streamline compliance across all other frameworks.
The CSF comprises 155 Control References, housed in 49 Objectives and 14 Categories:
- 0.0: Security Management Program – One Objective, one Reference
- 01.0: Access Control – Seven Objectives, 15 References
- 02.0: Human Resources Security – Four Objectives, nine References
- 03.0: Risk Management – One Objective, four References
- 04.0: Security Policy – One Objective, two References
- 05.0: Security Organization – Two Objectives, 11 References
- 06.0: Compliance – Three Objectives, ten References
- 07.0: Asset Management – Two Objectives, five References
- 08.0: Physical / Environmental Security – Two Objectives, 13 References
- 09.0: Communications Management – Ten Objectives, 32 References
- 10.0: Systems Acquisition / Maintenance – Six Objectives, 13 References
- 11.0: Incident Management – Two Objectives, five References
- 12.0: Continuity Management – One Objective, five References
- 13.0: Privacy Practices – Seven Objectives, 21 References
Across all References, the CSF details various Implementation Levels; these pertain to Maturity (i.e., depth and breadth of protection) on one hand and regulations on the other. For example, all controls applicable to HIPAA, DFARS, PCI-DSS, GDPR, or other equivalents will specify measures that correspond to or exceed HITRUST’s criteria. Further, the MyCSF tool includes mapping infrastructure that facilitates streamlined reporting, all from one central dashboard.
Shortcomings and Complications Related to NIST SP 800-53
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, is also a comprehensive framework. However, it was not created to facilitate compliance with any other frameworks. Instead, it is a general guide to best practices and targeted toward organizations working with US government offices. As a result, this makes it a poor match for private sector entities.
The NIST SP 800-53 framework comprises 20 Control Families and over 700 Controls:
- Access Control (AC) – 25 Base Controls, 108 Control Enhancements
- Awareness / Training (AT) – Six Base Controls, ten Enhancements
- Audit / Accountability (AU) – 16 Base Controls, 41 Enhancements
- Authorization / Monitoring (CA) – Nine Base Controls, 17 Enhancements
- Configuration Management (CM) – 14 Base Controls, 42 Enhancements
- Contingency Planning (CP) – 13 Base Controls, 37 Enhancements
- Identification / Authentication (IA) – 12 Base Controls, 43 Enhancements
- Incident Response (IR) – Nine Base Controls, 31 Enhancements
- Maintenance (MA) – Seven Base Controls, 21 Enhancements
- Media Protection (MP) – Eight Base Controls, 12 Enhancements
- Physical Protection (PE) – 23 Base Controls, 29 Enhancements
- Planning (PL) – 11 Base Controls, three Enhancements
- Program Management (PM) – 32 Base Controls, five Enhancements
- Personnel Security (PS) – Nine Base Controls, eight Enhancements
- PII Transparency (PT) – Eight Base Controls, 13 Enhancements
- Risk Assessment (RA) – Ten Base Controls, 13 Enhancements
- System / Service Acquisition (SA) – 15 Base Controls, 90 Enhancements
- System / Communications (SC) – 47 Base Controls, 92 Enhancements
- System / Information Integrity (SI) – 22 Base Controls, 78 Enhancements
- Supply Chain Risk Management (SR) – 12 Base Controls, 15 Enhancements
Despite this seemingly vast scope, SP 800-53 falls short of naming specific, industry- or other legally required controls. Organizations that implement SP 800-53 in its entirety will likely still fall short of compliance requirements, necessitating further implementation of other frameworks.
Biggest Challenges and Other Considerations for ISO/IEC 27001
Finally, the ISO/IEC 27001: Information Security Management is also grand in scale, although not quite as exhaustive as NIST or HITRUST. However, unlike the frameworks above, detailed information about structure and requirements has not been made publicly available. This barrier is one reason organizations’ stakeholders (both personnel and clientele) may be less familiar with its safeguards. Another is that this framework is predominantly used outside the US.
The ISO/IEC 27001:2013 framework comprises 114 total controls, spread across 14 groups:
- A.5: Information Security Policy – Two controls
- A.6: Information Security Organization – Seven controls
- A.7: Human Resources Security – Six controls
- A.8: Asset Management – Ten controls
- A.9: Access Control – 14 controls)
- A.10: Cryptography – Two controls
- A.11: Physical / Environmental Security – 15 controls
- A.12: Operations Security – 14 controls
- A.13: Communications Security – Seven controls
- A.14: System Acquisition / Maintenance – 13 controls
- A.15: Supplier Relationships – Five controls
- A.16: Incident Management – Seven controls
- A.17: Business Continuity Management – 4 controls
- A.18: Compliance – 8 controls
While ISO/IEC 27001 is relatively comprehensive, it is much more commonly used in markets outside the US—namely, in parts of Europe, Asia, and Africa. An organization that implements this framework may find its US clients and customers aren’t familiar with or won’t accept it.
Achieve and Maintain HITRUST Certification with RSI Security
All three of these security and privacy frameworks are relatively similar; they all offer a robust, comprehensive approach to cyberdefense. However, HITRUST stands out from both NIST SP 800-53 and ISO/IEC 27001. This is because, unlike the latter two, it is applicable across nearly every legal or regulatory requirement a US-based organization is likely to face—the HITRUST Approach is centered around “assess once, report many.”
To get HITRUST certified, contact RSI Security today!