
HITRUST CSF certification provides a comprehensive, prescriptive security framework recognized across healthcare and beyond. This checklist guides you through selecting your assessment type, implementing controls, and achieving certification through the MyCSF platform.
HITRUST CSF (Common Security Framework) is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.
The framework was created to address the multitude of security, privacy, and regulatory challenges facing organizations, particularly those in the healthcare industry.
HITRUST CSF harmonizes multiple standards and regulations, including HIPAA, NIST, ISO, PCI, GDPR, and others, into a single overarching framework.
Assessment Types
Certification
Control Domains
Click each step to expand the details. Work through them in order — each step builds on the previous one.
Select the right HITRUST assessment for your organization
HITRUST offers three assessment types with increasing levels of rigor: e1 (Essentials), i1 (Implemented), and r2 (Risk-based). Your choice depends on your risk profile, customer requirements, and the level of assurance you need to provide. The r2 assessment is the gold standard and most widely accepted.
Determine which controls apply to your organization
The HITRUST CSF uses organizational, system, and regulatory risk factors to determine which controls apply. Your control requirements are tailored based on factors like organization size, data types handled, regulatory obligations, and system architecture.
Evaluate your current state against HITRUST requirements
Before investing in the validated assessment, conduct a readiness assessment to identify gaps in your control environment. This pre-assessment evaluates your current practices against the HITRUST CSF requirements and produces a remediation roadmap.
Close gaps and achieve target maturity levels
Implement the security controls identified during your readiness assessment. HITRUST requires demonstrating maturity across five levels: policy exists, procedures are documented, controls are implemented, effectiveness is measured, and the program is managed. Most controls require at least Level 3 (implemented) for certification.
Document the governance framework supporting your controls
HITRUST requires formal, documented policies and procedures for every control domain. The maturity model requires that policies exist (Level 1) and procedures are documented (Level 2) before a control can be scored as implemented (Level 3). Comprehensive documentation is essential for certification.
Select and onboard your HITRUST-approved assessor
HITRUST validated assessments must be conducted by an approved External Assessor organization. Select an assessor with experience in your industry and assessment type, and establish the engagement timeline and logistics.
Submit your assessment through the HITRUST platform
HITRUST uses the MyCSF platform for all assessment activities. Your organization and the External Assessor both work within MyCSF to document control maturity, upload evidence, and submit the assessment for HITRUST quality assurance review.
Receive your HITRUST certification and maintain it
After HITRUST completes its quality assurance review, you receive your certification letter and can list your organization in the HITRUST Assessor Marketplace. Maintain certification by addressing any corrective action plans and completing interim assessments on schedule.
Feeling overwhelmed? You don't have to do this alone.
Transparent cost ranges so you can plan and budget. Costs vary based on organization size, current security posture, and environment complexity.
Including preparation, tooling, and assessment fees
Depending on current maturity and scope
Independent verification of your compliance
Compliance management and evidence collection tools
SIEM, EDR, vulnerability scanning, encryption tools
Hundreds of hours across IT, security, and leadership
Annual reviews, continuous monitoring, recertification
The cost of non-compliance far exceeds the investment in getting certified. Consider what's at stake:
The question isn't whether you can afford compliance — it's whether you can afford not to have it.

Illumen specializes in helping organizations achieve HITRUST compliance — from initial assessment through certification. We meet you wherever you are in the journey.
Know exactly where you stand against requirements
Close gaps with expert guidance and support
Policies, procedures, and evidence packages
Common questions about HITRUST compliance and certification.