skip to Main Content

Power of the Portfolio

By Robert Booker, Chief Strategy Officer, HITRUST

HITRUST Focus on Continuous Improvement

HITRUST has been dedicated to measuring and improving security maturity with accuracy, consistency, and integrity for over 15 years. We have done this by working closely with thousands of companies, their partners, regulators and trading partners, and security assessors. Cybersecurity threats and risks to technology systems are ongoing and ever-evolving, and Version 11 of the HITRUST CSF (HITRUST CSF v11) continues our shared commitment to the security journey we all travel together.

Security is an Ecosystem

The HITRUST CSF v11 builds on our experience working with entities with diverse risks and requirements. Input from security leaders from organizations of all sizes, plus our vast research, confirms that the need to assess, measure, and communicate security maturity is as important for companies with lower risks as it is for the largest, most complex companies, and those serving the most heavily regulated organizations.

Companies and their systems are integrated in new, exciting, and creative ways to form a living ecosystem. Such integration increases both the complexity of security assurance, and opportunities to leverage, or inherit, security controls from others. Companies may rely on their cloud service providers for key security features. They may use application software that provides valuable features and insights. Perhaps they manage diverse infrastructures that come from multiple acquisitions. Regardless, security requirements exist in an ecosystem where maturity can increase with capabilities and synergies and where shared vulnerabilities can weaken the ecosystem.

Metrics Lead to Maturity

Our work with companies at all stages of their security journeys has made it clear that they need the ability to start where they are, at the appropriate level for their current state. They can increase the level of security assurance delivered and measured by their program as their experience, risk maturity, and maturity of their security programs increase. This is why we continuously improve and expand our assessment portfolio. The introduction of HITRUST CSF v11 provides a critical foundation that companies can build upon and increase the level of security assurance based on their evolving business. CSF v11 provides portability with increasing maturity to ensure that the most relevant controls remain in place while the organization grows in security coverage and requirements. Where a company’s security and compliance team uses a consistent framework, their important and scarce internal experts grow in experience and ability to communicate the company’s security system design, operation, and documented maturity in a consistent and reliable manner.

Imagine a situation in which a company merges with another, expands, or restructures its technology operations. During the acquisition due diligence and following any major change, the security maturity of the related organizations is a major consideration. The system created through planned integration is critical. A common framework such as CSF v11 will allow for a rapid initial assessment of the foundational cybersecurity elements of the new entities, as well as allow for a longer-term and more comprehensive assessment of the entity’s security maturity over time. And, the use of a common framework provides consistency for security and compliance experts that all involved organizations can use to clearly educate each other about expectations and control requirements.

Growth of Maturity Through Traversability

An important design consideration of CSF v11 is the ability for a company to grow its security program and reuse past work to achieve higher levels of security assurance. This is accomplished by reusing the controls assessed in prior HITRUST assessments as the foundation for higher levels of assessment. Over time, a company can progressively traverse across the assessment portfolio to achieve higher levels of assurance using common control requirements. These include controls they may inherit from other organizations, like cloud service providers. Our conversations with security leaders across multiple industries have resulted in a portfolio of three security assurance levels focused on the needs of companies at different stages in their journey, progressing as they invest in and mature their security programs:

  • Essential Hygiene (e1) for lower-risk organizations, validating the most critical cybersecurity controls.
  • Leading Security Practices (i1) for organizations with robust information security programs, ready to demonstrate controls that protect against current and emerging threats. Leading Security Practices certification can build on essential cybersecurity controls as organizations progress in their security journey with reduced complexity and increased efficiency.
  • Expanded ability for organizations to demonstrate regulatory compliance and risk management (r2) against authoritative sources such as HIPAA and the NIST Cybersecurity Framework. This also supports expanded tailoring of controls based upon identified risk factors.

The goal is consistency as companies expand their risk management and compliance requirements with minimal rework of their security program.

Consistency Through Common Assurance

Security delivery and maturity do not begin or end with the control framework or a comprehensive set of security assurance levels. Instead, the value of a security assurance program is directly tied to the quality of the underlying assurance system, which includes how the security requirements are selected, documented, assessed, and ultimately measured. HITRUST provides four critical success factors, inherent to the portfolio, that, together, provide the highest level of Rely-ability™ available today.

Transparency requires a publicly available and widely adopted control framework with control selection, evaluation, and scoring all clearly understood. Consistency of results is assured when different assessors reach consistent outcomes and when reports can be compared. Accuracy of assurance occurs when the granularity of requirements is repeatable and when scoring is formula-based and quantifiable. And, lastly, Integrity of the approach to assurance is delivered when all validated assessments from all assessors receive a consistent quality inspection to insure objectivity and consistency of approach.


The continuing evolution of the HITRUST CSF provides a vital foundation for companies of all security levels and across their entire technology ecosystem. The ability to measure maturity using demonstrated metrics and traverse an assurance portfolio as requirements evolve, and to communicate requirements clearly, are all critical success factors in security assurance. Rely-able™ assurance is foundational to ultimately measuring and demonstrating that the program is delivering the security value required and expected.