The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control requirements and group them into logical domains based on common IT organizational structure. This is done to make performing an assessment more efficient as controls should be fairly well grouped around typical IT departments.
Source: HITRUST Alliance FAQ
Contact: Ali Pabrai at Pabrai@ecfirst.com for a complimentary 29-minute, tailored Webinar on HITRUST: Fast Track to Certification.
Date: December 4, 2018