The HITRUST assessment methodology specifically requires:

  • Authorized External Assessor Organizations to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports)
  • Examine configuration settings, physical surroundings, processes and other observable information protection practices
  • Conduct interviews with the control owners
  • Perform system tests to validate the implementation of controls, as applicable

Technical testing by the external assessor is encouraged but not always necessary. Reliance on third-party audit reports or testing performed by authorized third-parties is permissible in certain cases as well.

For more information, refer to the External Assessor Datasheet and the External Assessor Requirements brochure.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment