HITRUST vs. ISO-27001 (or is it?)

    Categories: ISO 27001 Certification

The process of “realization” is an interesting one.

My first thoughts on HITRUST tended towards the negative; “Why do we need another ISO-27001 derivative information security framework?” “Why not just get ISO-27001 certified?” “Is this going to be another pay-to-play framework like PCI that is more focused on generating revenue than it is on securing data?”  The latter concern was “enforced” by the HITRUST Alliance’s initial policy of only making the CSF available to those willing to pony up a couple of grand.

ISO 27001 is manageable and not out of reach for anyone!
It’s a process made up of things you already know – and things you may already be doing.

Download our ISO 27001 Roadmap now!

Fast forward a year plus and things are looking significantly different to me.

  • ISO-27001 holds tremendous promise as a form of third party attestation IF it is used right.  That is, it is important that the recipient of a 27001 certificate validates that the ISMS scope, the risks the ISMS scope considers, and the acceptable risk criteria established  align with the services being  utilized, the risks specific to the recipient of the certificate, and acceptable risk criteria established by the recipient. When considered in this context, I have come to see the “prescriptive” elements of HITRUST as being a “pre-definition” of the logical scope, risks, and risk acceptance criteria that are common to healthcare organizations.  So in a sense, the recipient of a HITRUST certification already knows that the scope, risks considered, and risk acceptance criteria are likely well aligned with their expectations.
  • There are some really smart people aligning themselves with HITRUST and it appears to be reaching a critical mass.  Should it hit its “tipping-point” it will move from “should we” to “we need”.
  • HITRUST has comported itself in a manner more consistent with being a trustable entity (think ISO or OWASP) than a non-trustable entity (think PCI).
  • When you view HITRUST as ISO-27001 with a pre-defined scope, risk, and acceptable risk criteria the two “standards” don’t seem like an either/or proposition, rather they seem complementary in nature.  If I were a health care organization that would rather have an ISO-27001 certification – I would still choose to leverage the HITRUST CSF to simplify the process and benefit from the standards (e.g., HITECH, NIST, PCI) cross-mapping and the controls implementation guidance it provides.

So if you’re in the healthcare space and you are asking yourself which Information Security framework you should align yourself with … I would argue that there is no reason to make that decision.  By aligning yourself with HITRUST you are simultaneously aligning yourself with ISO-27001 at the same time. Hence, I think that we will soon start seeing healthcare entities with both certifications.

John Verry :