HITRUST expects the External Assessor will perform a sufficient level of testing to support the scores in any HITRUST validated assessment. The integrity of the certification is maintained via HITRUST’s testing requirements and HITRUST’s enforcement of these requirements utilizing the quality assurance review process. This section includes the expectations and guidelines for External Assessor testing within any HITRUST validated assessment. For further information on the Quality Assurance review process performed by HITRUST, see Chapter 14 Undergoing Quality Assurance.
11.1.1 HITRUST External Assessors must ensure the testing approach and evidence requirements meets all guidance outlined in this chapter (including any supplemental guidance such as the HITRUST Scoring Rubric). Deviations from these requirements may lead to delays or the inability for an Assessed Entity to obtain certification.
11.1.2 External Assessors must perform a sufficient level of walkthroughs and testing procedures, which includes producing sufficient documentation, to:
i. Confirm and/or validate the Assessed Entity’s self-identified scoring levels/responses, and
ii. to ensure that compliance gaps have been identified.
11.1.3 All requirement statements within a validated assessment must be validated by an External Assessor. Validation procedures are performed using a variety of testing strategies in order to provide assurances to relying parties that the control achieves the documented maturity score(s).
11.1.4 Procedures performed by External Assessors during validated assessment fieldwork must include one or more of the following types of audit procedures:
- Walkthroughs and interviews of personnel to verify that policies and procedures are documented and implemented. *
- Inspection of written policies and procedures to ensure sufficient coverage of each requirement statement’s evaluative elements.
- Observation of the performance or existence of relevant controls and control processes.
- Inspection of documentation evidencing the existence/performance of relevant controls, including inspection of documentation associated with samples.
- Performance of technical testing to validate the implementation or operation of relevant controls.
- Reliance on testing performed by other Assessors and/or auditors. For detailed requirements, see Chapter 12 Reliance & Third-Party Coverage.
- Inspection of operational or independent measures or metrics used by the Assessed Entity.
- Inspection of evidence generated by mechanisms used by the Assessed Entity to manage relevant controls.
- Analytical procedures to identify relationships, trends and/or anomalies in a set of data.
- Recalculation of information generated by an automated or semi-automated process to validate proper functionality (e.g., population completeness).
*NOTE: A walkthrough involves reviewing each requirement statement’s evaluative elements with the individuals responsible for performing / operating the control to gain an understanding of what procedures are being performed at the Assessed Entity. The intention of a walkthrough is for the External Assessor to gain a sufficient understanding of the process to initially identify missing elements in the design and/or operation of the control. Walkthrough procedures may include a combination of inquiry, observation, inspection of relevant documentation, recalculation, and control re-performance. A walkthrough alone is typically insufficient to meet the expected nature and extent of testing to support scoring of a requirement statement. The External Assessor must determine, based on the HITRUST testing requirements within this Assessment Handbook, the testing necessary to validate scores within each HITRUST requirement statement.
11.1.5 If only inquiry was used during an External Assessor’s walkthroughs and/or interviews, additional supporting evidence must be reviewed and documented within MyCSF to corroborate scoring within a validated assessment. For examples of insufficient evidence to address HITRUST requirement statements, see Appendix A-8: Testing and Evidence FAQs & Examples.
11.1.6 External Assessors are not required to be on-site to perform any of the listed audit procedures. The Assessed Entity and External Assessor should determine the most effective and efficient approach for each assessment.
11.1.7 In situations where External Assessors choose to leverage alternative approaches to on-site testing, such as video conferencing, to perform necessary walkthroughs and observations, assessment documentation must clearly reflect the nature, timing, and extent of the alternative approaches used. The External Assessor must still utilize sufficient evidence to demonstrate the Assessed Entity has met the requirement statement’s elements, potentially using less traditional supporting artifacts—such as maintenance records, installation documentation, facility diagrams, etc.—which collectively evidence both the implementation and ongoing operation of the corresponding HITRUST requirement statements. For additional information on remote testing approaches, see Appendix A-9: Off-site Validation Procedures.