The HITRUST assessment methodology specifically requires:
- Authorized External Assessor Organizations to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports)
- Examine configuration settings, physical surroundings, processes and other observable information protection practices
- Conduct interviews with the control owners
- Perform system tests to validate the implementation of controls, as applicable
Technical testing by the external assessor is encouraged but not always necessary. Reliance on third-party audit reports or testing performed by authorized third-parties is permissible in certain cases as well.