ISO 27001 and HITRUST for Healthcare Organizations

Monday, January 23, 2012

John Verry


In a recent discussion, I was asked my opinion of HITRUST Certification and ISO 27001 Certification. More specifically, the differences.  Below you will find the questions asked and my answers to each.

ISO 27001 Certification focuses on the ISMS. What about HITRUST?

ISO 27001 does focus on the ISMS, but more specifically a risk assessment/management focused ISMS leveraging the ISO 27002 control set to mitigate the risks to an acceptable level.

HITRUST is focused on providing a prescriptive set of controls that are mapped and referenced to standards and regulations relevant to healthcare. The idea is to simplify the process of becoming largely compliant with relevant laws and regulations and mitigating most risks that a typical hospital has to an acceptable level.

Another view is that HITRUST is a set of predefined controls for an assumed set of risks and compliance requirements, with an IT-GRC like mapping.

How much effort would be required for an ISO 27001 certified company to become HITRUST certified?

If a company was ISO 27001 certified and scoped the certificate to the same information & processes that HITRUST covered, then I think the organization would need to extend a small amount of effort. HITRUST simplifies this process by cross-mapping the ISO 27002 controls to HITRUST.

Although HITRUST assumes a set of risks it also includes a SOA (like ISO 27001).  So I think there would be little chance that the ISO 27001 driven ISMS would not fully match the HITRUST defined ISMS.  

How much effort would be required for a HITRUST certified company to become ISO 27001 certified?

If an organization was HITRUST certified using levels of HITRUST applicability equivalent to what the ISO 27001 applicability would be – I think the organization would need to extend a small amount of additional effort.

Which would you do first?

As the primary driver for both ISO 27001 and HITRUST are often attestation, a company should decide which is more important to them at that point in time.

Assuming neither has a greater sense of urgency; I think ISO -27001 has the advantage of broader acceptance and better addresses potential risks non-specific to HITRUST.

ISO 27001 would likely take a little longer on the front end, but adding HITRUST would probably be faster on the back-end. I think HITRUST has the advantage of being a bit “simpler” as the risks and risk treatments are largely defined.

It would be a little faster on the front end, but adding ISO 27001 on the back end would probably be slower as some of the artifacts may not have been fully developed for HITRUST.

I also blogged about HITRUST in an article called HITRUST vs. ISO-27001 (or is it?), and I think these 3 points say the same thing in a slightly different way.

Cross-posted from the Pivot Point Security blog

Possibly Related Articles:
Healthcare Provider
Certification Compliance Regulation GRC Governance ISO 27001 Healthcare Controls Standards ISMS HITRUST John Verry
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.