The third maturity level, Implemented, reviews the implementation of the policies and procedures to ensure the control has been correctly applied to all the organizational units and systems within scope of the assessment.
9.3.1 Testing must be performed at the Implemented maturity level for all evaluative elements in a requirement statement to determine whether they have been implemented in a consistent manner and controls are operating as intended. For additional details on acceptable testing approaches, see Chapter 11 Testing & Evidence Requirements.
9.3.2 The illustrative procedures for the Implemented maturity level will typically indicate whether a sample-based test is expected for a requirement statement. However, the External Assessor may determine that a sample-based test is necessary to validate the scoring even if HITRUST has not specified a sample-based test is expected. Alternatively, an External Assessor may determine that a sample-based test is not necessary even when HITRUST has indicated that a sample-based test is expected. In these instances, the External Assessor should document its rationale and alternative testing approach. This rationale will be subject to QA review so the External Assessor must ensure the nature, timing, and extent of testing is sufficient to support the scoring.
9.3.3 Testing must cover all facilities, systems and supporting infrastructure within scope of the assessment.
9.3.4 Testing must adhere to the HITRUST population and sampling methodology as defined in the HITRUST Scoring Rubric and Chapter 11 Testing & Evidence Requirements.