The CSF is a risk-based framework. To understand why, one must understand the intent of selecting and implementing any specified set of controls, whether it’s a custom set developed from a traditional risk analysis or one tailored from a pre-defined control baseline developed from such a risk analysis (e.g., ISO/IEC 27001 or NIST SP 800- 53, both of which HITRUST leverages in the CSF). Regardless of the method used, an organization must implement all the selected controls to manage risk at a level deemed acceptable by its leadership. Failure to fully implement all the specified controls necessarily results in excessive residual risk, which then implies that an organization would take a compliance-oriented approach to implementing and maintaining the selected controls, which were of course selected based on an analysis of risk.
Source: HITRUST Alliance FAQ
Contact: Ali Pabrai at Pabrai@ecfirst.com for a complimentary 29-minute, tailored Webinar on HITRUST: Fast Track to Certification.
Date: December 4, 2018