The HITRUST assessment methodology specifically requires:
- Assessors to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports)
- Examine configuration settings, physical surroundings, processes and other observable information protection practices
- Conduct interviews with the business unit stakeholders, where applicable
- Perform system tests to validate the implementation of controls, as applicable
Technical testing by the assessor is encouraged but not always necessary. If not performed, the review of internal and third-party technical testing, e.g., vulnerability scanning and penetration testing, would then be needed if related controls are to receive any credit for implementation.
For more information, refer to the CSF Assessor Datasheet and the CSF Assessor Requirements Brochure.