The HITRUST assessment methodology specifically requires:

  • Assessors to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports)
  • Examine configuration settings, physical surroundings, processes and other observable information protection practices
  • Conduct interviews with the business unit stakeholders, where applicable
  • Perform system tests to validate the implementation of controls, as applicable

Technical testing by the assessor is encouraged but not always necessary. If not performed, the review of internal and third-party technical testing, e.g., vulnerability scanning and penetration testing, would then be needed if related controls are to receive any credit for implementation.

For more information, refer to the CSF Assessor Datasheet and the CSF Assessor Requirements Brochure.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment