How to Leverage HITRUST CSF for ISO 27001 Certification

This blog post was originally published September 16, 2022 and has since been updated to reflect new content.

HITRUST and ISO 27001 are two of the most challenging yet widely sought-after information security certifications. When partnering with an external assessor like BARR Advisory, organizations can complete all the necessary tasks and data collection processes for both HITRUST and ISO 27001 audits at the same time. Through this process, the HITRUST MyCSF platform, a reliable tool used to assess information risk and meet privacy and security regulations, can give organizations an upper hand in achieving both.

We sat down with Attest Services Manager Steve Ryan to discuss how organizations can leverage HITRUST to achieve their ISO 27001 certification. Let’s dive into his thoughts on the process and benefits of achieving both.

The Difference Between HITRUST CSF and ISO 27001 and Why You Might Need Both

ISO 27001: ISO 27001 is an international standard that helps organizations establish, implement, and maintain an information security management system (ISMS). Obtaining certification to ISO 27001 is a valuable way to differentiate your organization as it demonstrates your compliance with industry standards and helps your organization manage the security of your services, data, intellectual property, or any information entrusted to you by a third party.

HITRUST CSF: HITRUST CSF was developed in collaboration with healthcare and information security professionals to provide a prescriptive framework to simplify security requirements. Any organization that handles protected health information (PHI) can demonstrate its commitment to managing risk and securing data with a HITRUST certification through three levels of assessments—the e1, i1, and r2.

An exciting aspect of HITRUST CSF is that it includes a set of prescriptive controls covering a number of industry standards, including ISO 27001. According to Ryan, “ISO 27001 is part of the foundation that HITRUST was built upon, which is why HITRUST CSF can help satisfy the requirements of ISO 27001.”

While the two standards can help you meet requirements on an individual basis, your organization might choose to pursue both certifications for a number of reasons, including:

Ensuring a high–level of trust with both national and international customers
Increasing security over your ISMS and PHI
Achieving compliance requirements with greater reliability
Differentiating yourself in the marketplace

Using the MyCSF Platform to Map Security Controls to ISO 27001 Requirements

If an organization is in the process of achieving, or has already attained a HITRUST certification, it’s easy to map the controls that are in place to ISO 27001 requirements, especially when the assessment data already exists and is immediately available in the MyCSF portal.

When all the information and data needed for an ISO 27001 audit are readily available in the HITRUST MyCSF platform, your organization doesn’t need to go through additional activities or conversations. Instead, the heavy lifting is already taken care of, and you’ll have achieved two of the highest-regarded standards through minimal effort.

BARR’s Proven Process

At BARR, we follow a unified, agile process to leveraging HITRUST CSF for an ISO 27001 certification. Once you’ve determined your organization’s unique security and compliance goals, BARR auditors will perform a HITRUST readiness assessment prior to validation and HITRUST certification. Since HITRUST maps to all ISO 27001 requirements, you can feel confident that your organization has the necessary ISO controls in place. You’ll only need to complete an ISO 27001 internal audit prior to your audit. Once your HITRUST readiness assessment and internal audit are finalized, BARR will complete the ISO and HITRUST audits in tandem through our auditors who are also Lead ISO Auditors.

Benefits of Leveraging HITRUST MyCSF for ISO 27001 Certification

“There’s a lot of value in leveraging the MyCSF tool to help achieve an ISO 27001 certification, particularly by helping organizations avoid potential nonconformities,” said Ryan.

Since ISO 27001 auditors aren’t allowed to provide guidance on how to fix issues or mitigate gaps, HITRUST CSF can serve as a risk assessment for the ISO 27001 audit. “If your organization already has HITRUST in place, your external assessor can help by providing expert guidance and feedback on how to close any identified gaps ahead of time. This can help avoid potential nonconformities during your ISO 27001 audit,” said Ryan.

In addition to ISO 27001, a HITRUST certification can help satisfy the requirements of other assessments like SOC 2, PCI DSS, FedRAMP, and more. With SOC 2, for example, the AICPA’s trust services criteria align with the CSF criteria, which allows us to issue a SOC 2 report plus HITRUST certification in a collaborative reporting model.

“Leveraging HITRUST to achieve ISO 27001 certification is a game changer for organizations. This allows for an ‘audit once, report many’ approach, which reduces the amount of resources organizations are required to delegate to achieve an ISO 27001 certification,” said Ryan.