Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

Glossary » HiTRUST » HITRUST CSF Control Categories

HITRUST CSF Control Categories

HITRUST CSF Control Categories are a bit complex, with over 150 individual controls in total. The exact number of controls your company needs to focus on can vary depending on how you define “control” and your specific compliance needs.

HITRUST organizes its framework into 14 distinct Control Categories, each labeled with a unique identifier from 0.0 to 0.13. These are further organized into 49 objectives and then detailed through 156 references. However, the actual controls your company needs to implement depend on the specifications that apply to your business and other compliance requirements.

The various tiers can get complicated, but the key is to focus on the controls relevant to your organization’s security and compliance needs. Here is the list of controls for your reference.

Control NameControl ObjectivesControl Specifications
Information Security Management Program11
Access Control725
Human Resources Security49
Risk Management14
Security Policy12
Organization of Information Security211
Compliance310
Asset Management25
Physical and Environmental Security213
Communications and Operations Management1032
Information Systems Acquisition, Development, and Maintenance613
Information Security Incident Management25
Business Continuity Management15
Privacy Practices721

Additional reading

Proving AI Trust: How Leading Organizations Are Getting It Right

Few technologies have moved from the fringe to the fundamental as quickly as AI. The speed has been relentless. Today, AI is embedded in your stack, your workflows, your vendors, and the tools your employees rely on every day, processing the very data your organization is responsible for protecting. AI adoption across industry lines has…

Cybersecurity Gap Assessment for Risk and Resilience

TL,DR: A cybersecurity gap assessment uncovers vulnerabilities by evaluating the disconnect between where an organization’s security framework should be and where it actually stands, following 7 structured steps from scoping through monitoring Common gaps uncovered include misconfigured controls, overlooked endpoints, unpatched systems, inadequate access management, missing incident response procedures, and insufficient employee security training across…

SOC 2 Auditors and Service Providers [How to Choose One]

Every business looking to get SOC 2 (Service Organization Control) compliant must work with a credible SOC 2 auditor—either a licensed CPA or an American Institute of Certified Public Accountants (AICPA) accredited third-party firm. Auditors must be independent, with no connection to your organization, to ensure unbiased reporting. When selecting the best SOC 2 auditor,…

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.