← Back to HITRUST

HITRUST CSF Checklist: 300+ Controls

Complete checklist covering all HITRUST CSF control objectives across 19 domains. Essential for healthcare organizations, health tech companies, and HIPAA-covered entities.

Get Expert HelpTake Free Assessment
300+
Controls
19
Domains
Healthcare
Standard

HITRUST CSF Control Categories

19 control categories integrating HIPAA, NIST, ISO, and PCI-DSS

01. Information Security Management Program

01.a: Management Direction for Information Security
01.b: Information Security Policy
01.c: Information Security Policy Review
01.d: Organization of Information Security
01.e: Management Commitment to Information Security
01.f: Information Security Coordination
01.g: Allocation of Information Security Responsibilities
01.h: Authorization Process for IT Facilities
01.i: Confidentiality Agreements
01.j: Contact with Special Interest Groups
01.k: Independent Review of Information Security

02. Access Control

02.a: Access Control Policy
02.b: User Registration
02.c: Privilege Management
02.d: User Password Management
02.e: Review of User Access Rights
02.f: Password Use
02.g: Unattended User Equipment
02.h: Clear Desk and Screen Policy
02.i: Policy on Use of Network Services
02.j: User Authentication for External Connections
02.k: Equipment Identification in Networks
02.l: Remote Diagnostic and Configuration Port Protection
02.m: Segregation in Networks
02.n: Network Connection Control
02.o: Network Routing Control

03. Human Resources Security

03.a: Roles and Responsibilities
03.b: Screening
03.c: Terms and Conditions of Employment
03.d: Management Responsibilities
03.e: Information Security Awareness, Education, and Training
03.f: Disciplinary Process
03.g: Termination Responsibilities
03.h: Return of Assets
03.i: Removal of Access Rights

04. Risk Management

04.a: Risk Management Program Development
04.b: Performing Risk Assessments
04.c: Risk Mitigation
04.d: Risk Evaluation
04.e: Selection and Implementation of Controls
04.f: Management Authorization of IT Facilities

05. Security Policy

05.a: Information Security Policy Document
05.b: Review of the Information Security Policy
05.c: Acceptable Use of Assets
05.d: User Responsibility for Managing Passwords
05.e: Unattended User Equipment Policy
05.f: Clear Desk and Screen Policy

06. Organization of Information Security

06.a: Information Security Roles and Responsibilities
06.b: Segregation of Duties
06.c: Contact with Authorities
06.d: Contact with Special Interest Groups
06.e: Project Management
06.f: Addressing Security in Vendor Agreements
06.g: Addressing Security when Dealing with Customers

07. Compliance

07.a: Identification of Applicable Legislation
07.b: Intellectual Property Rights
07.c: Protection of Organizational Records
07.d: Data Protection and Privacy
07.e: Prevention of Misuse of IT Facilities
07.f: Regulation of Cryptographic Controls
07.g: Compliance with Security Policies
07.h: Technical Compliance Checking
07.i: Information Systems Audit Controls
07.j: Protection of System Audit Tools

08. Physical & Environmental Security

08.a: Physical Security Perimeter
08.b: Physical Entry Controls
08.c: Securing Offices, Rooms and Facilities
08.d: Working in Secure Areas
08.e: Public Access and Delivery Areas
08.f: Equipment Siting and Protection
08.g: Supporting Utilities
08.h: Cabling Security
08.i: Equipment Maintenance
08.j: Security of Equipment Off-Premises
08.k: Secure Disposal or Re-use of Equipment
08.l: Removal of Property

09. Communications & Operations Management

09.a: Documented Operating Procedures
09.b: Change Management
09.c: Segregation of Duties
09.d: Separation of Development and Production
09.e: Service Delivery
09.f: Monitoring and Review of Third Party Services
09.g: Managing Changes to Third Party Services
09.h: Capacity Management
09.i: System Acceptance
09.j: Controls Against Malicious Code
09.k: Controls Against Mobile Code
09.l: Information Backup
09.m: Network Controls
09.n: Security of Network Services
09.o: Media Handling

10. Information Systems Acquisition, Development & Maintenance

10.a: Security Requirements Analysis and Specification
10.b: Input Data Validation
10.c: Control of Internal Processing
10.d: Message Authentication
10.e: Output Data Validation
10.f: Policy on the Use of Cryptographic Controls
10.g: Encryption
10.h: Digital Signatures
10.i: Security of System Files
10.j: Security in Development and Support Processes
10.k: Change Control Procedures
10.l: Technical Review of Operating System Changes
10.m: Restrictions on Changes to Software Packages
10.n: Covert Channels and Trojan Code
10.o: Outsourced Software Development

11. Information Security Incident Management

11.a: Reporting Information Security Events
11.b: Reporting Security Weaknesses
11.c: Responsibilities and Procedures
11.d: Learning from Information Security Incidents
11.e: Collection of Evidence
11.f: Incident Response Plan

12. Business Continuity Management

12.a: Including Information Security in BCM
12.b: Business Continuity and Risk Assessment
12.c: Developing and Implementing Continuity Plans
12.d: Business Continuity Planning Framework
12.e: Testing, Maintaining and Re-assessing BCP

13. Privacy Practices

13.a: Privacy Notice
13.b: Choice and Consent
13.c: Collection
13.d: Use, Retention and Disposal
13.e: Disclosure to Third Parties
13.f: Access and Correction
13.g: Monitoring and Enforcement
13.h: Privacy Training
13.i: Complaints Management

14. Third Party Assurance

14.a: Identification of Risks from Third Party Access
14.b: Third Party Service Delivery
14.c: Security Requirements in Third Party Contracts
14.d: Monitoring and Review of Third Party Services
14.e: Managing Changes to Third Party Services
14.f: Third Party Agreements

15. Mobile Device Security

15.a: Mobile Device Management Policy
15.b: Mobile Device Encryption
15.c: Mobile Device Password Protection
15.d: Mobile Device Remote Wipe
15.e: Mobile Device Security Awareness
15.f: Mobile Application Security

16. Threat Prevention & Response

16.a: Threat Intelligence Program
16.b: Vulnerability Management
16.c: Penetration Testing
16.d: Security Event Logging and Monitoring
16.e: Intrusion Detection and Prevention
16.f: Malware Protection

17. Network Protection

17.a: Network Segmentation
17.b: Firewall Configuration
17.c: Network Access Control
17.d: Secure Network Design
17.e: Wireless Network Security
17.f: VPN Configuration and Management

18. Password Management

18.a: Password Policy
18.b: Password Complexity Requirements
18.c: Password Storage and Transmission
18.d: Password Change Management
18.e: Multi-Factor Authentication
18.f: Privileged Account Management

19. Audit Logging & Monitoring

19.a: Audit Logging Policy
19.b: Protection of Log Information
19.c: Administrator and Operator Logs
19.d: Clock Synchronization
19.e: Fault Logging
19.f: Log Review and Analysis

HITRUST Assessment Requirements

Documentation and evidence needed for certification

Core Documentation

Information security policies and procedures
Risk assessment and risk management plan
Business continuity and disaster recovery plans
Incident response plan
Privacy policy and procedures
Vendor management program
Security awareness training materials
Network and system architecture diagrams

Technical Evidence

Vulnerability scan results
Penetration test reports
Security monitoring and SIEM logs
Access control lists and user permissions
Encryption implementation documentation
Backup and recovery test results
Change management records
Security incident logs and resolutions

How LowerPlane Automates HITRUST CSF

🏥

Healthcare Focus

Pre-built templates and policies designed specifically for healthcare organizations and health tech.

🔄

HIPAA Integration

Automatically map HIPAA controls to HITRUST requirements for dual compliance efficiency.

📊

Evidence Collection

Connect EHR systems, cloud providers, and security tools for automated evidence gathering.

Download Your Free HITRUST Checklist

Get the complete 300+ control checklist as a printable PDF. Track your progress toward HITRUST CSF certification.

Download PDF ChecklistOr Get Expert Help
No email required for PDF download. Start tracking your compliance progress today.

Related HITRUST Resources

HITRUST Requirements

Complete guide to HITRUST CSF requirements and certification

View requirements →

HIPAA Checklist

HITRUST builds upon HIPAA requirements

View checklist →

Healthcare Compliance

Complete guide for healthcare organizations

View guide →