← Frameworks / Health Security

HITRUST Common Security Framework v11

Comprehensive security framework widely adopted in healthcare, integrating requirements from HIPAA, NIST 800-53, ISO 27001, PCI DSS, and other standards. 14 control categories covering information security management, access control, human resources security, risk management, security policy, organisation of information security, compliance, asset management, physical and environmental security, communications and operations management, information systems development, incident management, business continuity, and privacy practices. Supports three assessment types: e1 (essential), i1 (implemented), and r2 (risk-based validated).

Clauses: 47

Avg Coverage: 86.0%

Publisher: HITRUST Alliance Version: v11.3 (2024)

HITRUST CSF v11 → SP 800-53 SP 800-53 → HITRUST CSF v11 Coverage Analysis

Clause	Title	SP 800-53 Controls
00.a	Information Security Management Program — ISMS Establishment and Governance	PM-01 PM-02 PM-03 PM-05 PM-06 PM-07 PM-09 PM-10 PM-11 PL-01 PL-02 PL-04 PL-10 PL-11
00.b	Information Security Management Program — Risk Management Framework	RA-01 RA-02 RA-03 RA-07 RA-09 PM-09 PM-28 CA-02 CA-05 CA-07
00.c	Information Security Management Program — Programme Maintenance and Continuous Improvement	CA-07 PM-06 PM-14 PL-02 PM-01 PM-05
01.a	Access Control — Access Control Policy and User Registration	AC-01 AC-02 AC-03 AC-05 AC-06 IA-01 IA-02 IA-04 IA-05 PS-06
01.b	Access Control — Network Access Control	AC-04 AC-17 AC-18 AC-19 AC-20 SC-07 SC-08 SC-10 SC-23
01.c	Access Control — Operating System and Application Access Control	AC-03 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 IA-02 IA-05 IA-06 IA-11 SC-13
01.d	Access Control — Mobile Computing and Teleworking	AC-17 AC-19 AC-20 PE-17 SC-07 SC-28 MP-07
02.a	Human Resources Security — Prior to Employment	PS-01 PS-02 PS-03 PS-06 PL-04
02.b	Human Resources Security — During Employment	AT-01 AT-02 AT-03 AT-04 AT-06 PM-13 PM-14 PS-06 PS-07 PS-08 PL-04
02.c	Human Resources Security — Termination and Change of Employment	PS-04 PS-05 AC-02 IA-04 PE-02
03.a	Risk Management — Risk Assessment Methodology and Execution	RA-01 RA-02 RA-03 RA-05 RA-07 RA-09 PM-09 PM-28
03.b	Risk Management — Risk Treatment and Monitoring	RA-07 CA-05 CA-07 PM-04 PM-09 PM-10 PL-02
04.a	Security Policy — Information Security Policy Document and Review	PL-01 PL-02 PL-04 PM-01 PM-02 PM-03 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01 PT-01
04.b	Security Policy — Policy Review, Exception Management, and Compliance Monitoring	CA-02 CA-07 PM-05 PM-06 PM-14 PL-02
05.a	Organisation of Information Security — Internal Organisation and Security Roles	PM-01 PM-02 PM-10 PM-24 PL-01 PL-09 PS-07
05.b	Organisation of Information Security — External Parties and Third-Party Risk	SA-04 SA-09 SR-04 PS-07 CA-03 SR-01 SR-02 SR-03 SR-05 SR-06
05.c	Organisation of Information Security — Mobile Devices and Remote Working Policy	AC-17 AC-19 AC-20 PE-17 CM-08 SC-07
06.a	Compliance — Legal and Regulatory Requirements Identification	PM-08 PM-11 SA-04 PT-01 PT-02 PT-03 PL-02
06.b	Compliance — Intellectual Property, Records Management, and Data Protection	SI-12 AU-11 MP-06 PM-25 PM-26 PT-01 PT-02 PT-04 PT-05
06.c	Compliance — Security Reviews, Audits, and Technical Compliance	CA-01 CA-02 CA-05 CA-07 CA-08 RA-05 PM-06 PM-14
07.a	Asset Management — Asset Inventory and Ownership	CM-08 CM-09 CM-12 CM-13 PM-05 RA-02 RA-09
07.b	Asset Management — Information Classification and Handling	RA-02 AC-16 MP-02 MP-03 MP-04 MP-05 SC-16
08.a	Physical and Environmental Security — Secure Areas and Facility Access	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-18
08.b	Physical and Environmental Security — Equipment Security and Protection	PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-20 MA-02 MA-06
09.a	Communications and Operations Management — Operational Procedures and Responsibilities	CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 SA-10
09.b	Communications and Operations Management — Capacity Management and System Acceptance	SA-03 SA-04 SA-08 SA-11 PE-11 PE-14 CP-02
09.c	Communications and Operations Management — Malware Protection and Technical Vulnerability Management	SI-02 SI-03 SI-04 SI-05 SI-07 SI-08 RA-05 RA-10 SC-44
09.d	Communications and Operations Management — Backup and Recovery	CP-01 CP-02 CP-06 CP-09 CP-10 MP-04
09.e	Communications and Operations Management — Network Security Management	SC-01 SC-05 SC-07 SC-08 SC-20 SC-21 SC-22 AC-04 SI-04
09.f	Communications and Operations Management — Media Handling and Information Exchange	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 MP-08 SC-08 SC-28 PE-16
09.g	Communications and Operations Management — Monitoring, Logging, and Audit	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12 AU-14 SI-04
10.a	Information Systems Acquisition, Development, and Maintenance — Security Requirements Analysis	SA-01 SA-02 SA-03 SA-04 SA-08 PL-07 PL-08
10.b	Information Systems Acquisition, Development, and Maintenance — Correct Processing and Input/Output Validation	SI-10 SI-11 SI-15 SA-11 SA-15 SA-17
10.c	Information Systems Acquisition, Development, and Maintenance — Cryptographic Controls	SC-12 SC-13 SC-17 SC-08 SC-28 IA-07
10.d	Information Systems Acquisition, Development, and Maintenance — Security in Development and Support Processes	SA-03 SA-08 SA-10 SA-11 SA-15 SA-16 SA-17 CM-03 CM-04 SI-06
10.e	Information Systems Acquisition, Development, and Maintenance — Technical Vulnerability Management	RA-05 RA-10 SI-02 SI-05 CM-08
11.a	Information Security Incident Management — Incident Reporting and Response	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 SI-04 SI-05
11.b	Information Security Incident Management — Incident Management and Improvement	IR-04 IR-05 IR-06 IR-09 AU-06 CA-07 PM-04
11.c	Information Security Incident Management — Evidence Collection and Forensic Readiness	AU-09 AU-11 AU-14 IR-04 SI-04 SI-07
12.a	Business Continuity Management — BCM Framework and Business Impact Analysis	CP-01 CP-02 PM-08 PM-09 PM-11 RA-09
12.b	Business Continuity Management — Business Continuity Plans and Implementation	CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10
12.c	Business Continuity Management — Testing, Maintenance, and Reassessment	CP-03 CP-04 CA-02 CA-07 PM-14
13.a	Privacy Practices — Privacy Programme Establishment and Governance	PT-01 PT-02 PT-03 PM-01 PM-02 PM-18 PM-19 PM-20 PL-01
13.b	Privacy Practices — Notice, Consent, and Choice	PT-04 PT-05 PM-20 PM-21 PM-22
13.c	Privacy Practices — Collection Limitation, Use, Disclosure, and Retention	PM-25 PM-26 SI-12 PT-02 PT-03 PT-06 PT-07 AC-06
13.d	Privacy Practices — Individual Access, Amendment, and Complaints	PM-21 PM-22 PM-26 PT-05 PT-06
13.e	Privacy Practices — Health-Specific Privacy Requirements (PHI/ePHI)	PT-01 PT-02 PT-04 PM-25 AC-03 AC-06 SC-28