Compliance Glossary

HITRUST and ISO 27001 are two of the most challenging yet highly sought-after information security certifications, especially for companies in the healthcare industry or those looking to partner with healthcare organizations. 

Often, meeting just one of these standards isn’t enough to satisfy all contractual requirements. That’s where mapping security controls between HITRUST and ISO 27001 comes into play, ensuring compliance across both frameworks.

Here’s a quick look at how the mapping works between these two standards:

• HITRUST Category 0.9: Many of the controls in this category align with several ISO 27001 Annexes, including A.8 (Asset Management), A.10 (Cryptography), A.12 (Operations Security), A.13 (Communications Security), and A.14 (System Acquisition, Development, and Maintenance). This covers a broad range of ISO standards for the largest HITRUST category.
• HITRUST Category 0.1: Most controls here map directly to ISO 27001 Annex A.9, which focuses on Access Control. Other controls also align with Annexes A.6 (Organization of Information Security), A.7 (Human Resource Security), and A.8 (Asset Management).
• HITRUST Category 0.13: This category has very few controls corresponding with specific ISO 27001 controls or Annexes, making mapping for it largely unnecessary.

Also, since ISO 27001 auditors can’t offer guidance on how to fix issues or address gaps, the HITRUST CSF can be a valuable tool for preparing for an ISO 27001 audit.