FR | NL | EN
   About us     Contact     Glossary index     Sitemap   

   Home > Common Security Framework (CSF)

Common Security Framework (CSF)     Print

Developed in collaboration with healthcare and information security professionals, the HITRUST Common Security Framework (CSF) is the most widely-adopted security framework in the U.S. healthcare industry. With the inclusion of federal and state regulations, standards and frameworks such as HIPAA, NIST, ISO and CobiT, the CSF is a comprehensive and flexible framework that remains sufficiently prescriptive in how control requirements can be scaled and tailored for healthcare organizations of varying types and sizes.



  • Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT;
  • Scales according to type, size and complexity of an implementing organization;
  • Provides prescriptive requirements to ensure clarity;
  • Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds;
  • Allows for the adoption of alternate controls when necessary;
  • Evolves according to user input and changing conditions in the healthcare industry and regulatory environment.


Healthcare organizations face multiple challenges relating to information security:

  • Redundant and inconsistent requirements and standards;
  • Confusion surrounding implementation and acceptable minimum controls;
  • Inefficiencies associated with varying interpretations of control objectives and safeguards;
  • Increasing scrutiny from regulators, auditors, underwriters, customers and business partners;
  • Growing risk and liability, including data breaches, regulatory violations and extortion.

CSF framework

The CSF Control Framework contains 13 security control categories comprised of 42 control objectives and 135 control specifications:

  • Information Security Management Program
  • Access Control
  • Human Resources Security
  • Risk Management
  • Security Policy
  • Organization of Information Security
  • Compliance
  • Asset Management
  • Physical and Environmental Security
  • Communications and Operations Management
  • Information Systems Acquisition, Development and Maintenance
  • Information Security Incident Management
  • Business Continuity Management

Standards and regulations mapping

The Standards and Regulations Mapping tool reconciles the HITRUST CSF with multiple common and accepted standards and regulations applicable to healthcare organizations:

  • ISO/IEC 27001:2005
  • ISO/IEC 27002:2005
  • ISO/IEC 27799:2008
  • COBIT 4.1
  • NIST SP 800-53 Revision 3
  • NIST SP 800-66
  • PCI DSS version 2.0
  • 16 CFR Part 681
  • FTC Red Flags Rule
  • HITECH Act
  • 21 CFR Part 11
  • 201 CMR 17.00 (State of Mass.)
  • NRS 603A (State of Nev.)
  • CSA Cloud Controls Matrix v1
QAP © 2010 | advice[at] | audit[at]
   Audit     Advisory     Training     Change     Disclaimer     Copyright