How to Leverage HITRUST CSF for ISO 27001 Certification

HITRUST and ISO 27001 are two of the most challenging yet widely sought after information security certifications. The HITRUST MyCSF platform can give organizations an upper hand in achieving both. We sat down with Senior HITRUST Consultant and Lead ISO Auditor Stephen Ryan to discuss how organizations can leverage HITRUST to achieve their ISO 27001 certification. 

What’s the difference between HITRUST CSF and ISO 27001? 

ISO 27001 is an international standard that helps organizations establish, implement, and maintain an information security management system (ISMS).  The HITRUST CSF is a set of prescriptive controls that cover a number of industry standards, including ISO 27001. 

According to Ryan, “ISO 27001 is part of the foundation that HITRUST was built upon, which is why HITRUST CSF can help satisfy the requirements of ISO 27001.”

An organization might choose to pursue both certifications for a number of reasons, including: 

• Customer requirements
• Increased security over their ISMS
• Differentiating themselves in the marketplace

How does the MyCSF platform help with mapping security controls to ISO 27001  requirements? 

An external assessor can conduct multiple audits at once, so the auditor can complete all the necessary tasks and data collection processes for both HITRUST and ISO 27001 audits at the same time. If an organization has already achieved a HITRUST certification, it’s easy to map the controls that are already in place to ISO 27001 requirements, especially when the assessment data already exists and is immediately available in the MyCSF portal.

This means the heavy lifting is already taken care of, and the organization only needs to exert minimal effort—saving time, resources, and money. 

The Benefits of Leveraging HITRUST MyCSF For ISO 27001 Certification

“There is a lot of value in leveraging the MyCSF tool to help achieve an ISO 27001 certification, particularly by helping organizations avoid potential nonconformities,” said Ryan. 

Since ISO 27001 auditors aren’t allowed to provide guidance on how to fix issues or mitigate gaps, HITRUST CSF can serve as a risk assessment for the ISO 27001 audit. If your organization has HITRUST in place, your external assessor can help by providing expert guidance and feedback on how to close any identified gaps ahead of time. This can help avoid potential nonconformities during your ISO 27001 audit. 

When all of the information and data needed for an ISO 27001 audit is readily available in the HITRUST MyCSF platform, the organization’s compliance team doesn’t need to go through redundant activities or conversations. 

In addition to ISO 27001, a HITRUST certification can help satisfy the requirements of other assessments like SOC 2, PCI DSS, FedRAMP and more. With SOC 2, for example, the AICPA’s trust services criteria align with the CSF criteria, which allows us to issue SOC 2 plus HITRUST in a collaborative reporting model. 

“Leveraging HITRUST to achieve ISO 27001 certification is a game changer for organizations. This allows for an audit once, report many approach which reduces the amount of resources organizations are required to delegate to achieving an ISO 27001 certification,” said Ryan. “I don’t see any reason why organizations that are going through or  have already gone through HITRUST validation should not also go through the ISO 27001 certification process,” he concluded. 

Interested in learning more about how to leverage HITRUST CSF for ISO 27001 certification? Contact us today.