Mapping tips

Creating the mappings between a product or service and the HITRUST CSF can take time and can be foreign to many. To that end, here are some tips to consider when planning out your mapping effort:

1. Strive for accuracy—not completeness: Given how large the HITRUST CSF is (over 2,800 requirement statements) and given how large an offering can be (e.g., some software packages have hundreds of features), attempting to completely map all applicable HITRUST CSF requirement statements to every applicable aspect of the offering could easily take more time than would be reasonably expected for onboarding an offering into an online directory. Instead, try to identify and map to a smaller subset of the HITRUST CSF that is (a) very clearly helped / supported by the offering and (b) present in a higher number of HITRUST CSF assessments.

2. Take advantage of the available tools: Several tools exist in PSD to help ease the mapping burden. They can all be used in support of mapping a single offering (i.e., you can use the bulk mapping template AND the AI-assisted mapping if desired). These tools include:

• An AI-assisted mapping tool, which uses generative AI to identify possible mappings.
• A downloadable and upload-able Excel template.
• Searching and filtering functionality within PSD’s “Mappings” page.

3. Start with simple keyword searches: The easiest way to start mapping is to simply search the HITRUST CSF requirement statements using keywords. For example, a risk assessment offering may want to search the HITRUST CSF requirement statements for terms like “risk analysis,” “risk evaluation,” and “risk assessment.”

4. Filter against the HITRUST CSF bucketing: You are mapping against the HITRUST CSF requirement statements which (as a field) is a few hierarchical elements deep in the structure of the HITRUST CSF. This is a good thing for mapping purposes, as the parent levels can be filtered against to help identify the HITRUST CSF requirements that are most applicable to the offering. Each hierarchical element is included as a column in the “Mappings” worksheet of the Excel mapping template. The most useful ones to filter against during mapping efforts are as follows:

• Assessment domain. There are 19 total assessment domains. For example, an offering focused on endpoint protection is likely to only map to requirement statements in the “02 Endpoint Protection” domain.
• Control objective. There are approximately 50 control objectives. For example, a firewall offering may only map to requirement statements within the “01.04 Network Access Control” control objective.
• Control reference. There are approximately 160 control references. For example, an offsite media storage and disposal offering may best map to requirement statements in the “09.p Disposal of Media” and “09.u Protection of Media in Transit” control references.

5. Focus on the more popular HITRUST CSF requirement statements. Certain requirement statements in the HITRUST CSF appear in HITRUST assessments much more often than others. To assist in identifying the more commonly assessed HITRUST CSF requirement statements, filter against the following data points when performing your mappings:

• Is e1? and Is i1?: The 44 requirement statements present in HITRUST’s essentials, 1-year (e1) assessment appear in every HITRUST assessment performed using v11.0 of the HITRUST CSF and later. And, the 182 requirement statements present in HITRUST’s implemented, 1-year (i1) assessment appear in every HITRUST i1 assessment and risk-based, 2-year (r2) assessment. Mapping to any of these requirement statements would increase the visibility of the offering more than mapping to requirement statements excluded from these assessments.
• v9 r2 frequency and v11 r2 frequency: These fields show the percentage of HITRUST risk-based, 2-year (r2) assessments that included the requirement, across the entire population of HITRUST CSF r2 assessments that have ever been completed in MyCSF (HITRUST’s assessment platform). The v9 r2 frequency focuses on assessments completed against version 9 of the HITRUST CSF, and the v11 r2 frequency focuses on assessments completed using version 11 of the HITRUST CSF. Both data points are meaningful, as many assessments are still being performed against version 9.

6. Time-box the mapping effort: It is not uncommon for providers to allocate as little as 1 hour per offering for the creation of PSD mappings. You can always come back later and add more.

7. Even a few mappings are better than none: Remember that having only a few mappings published for an offering is better than having none.

8. Let HITRUST help: We want you to have a wonderful experience as a PSD provider, and we are here to help. It is not uncommon for us to spend a few hours on the phone with a provider to help with mappings, as we understand that not everyone is familiar with the HITRUST CSF or with control mappings as a concept.