During the planning phase of a validated assessment effort, the HITRUST External Assessor must prepare a Test Plan that outlines the anticipated testing approach of all applicable/in-scope requirement statements; it serves as the blueprint for the performance of the validated assessment.
11.2.1 The testing approach documented in the Test Plan must be based on each requirement statement’s evaluative elements.
11.2.2 The Test Plan must document the testing approach, including the nature, timing, and extent of testing, which will be taken for each of the requirement statement’s evaluative elements across the scope of the assessment (including all systems, locations, and business units).
11.2.3 If third parties are used to manage aspects of the in-scope environment and not carved out in an i1 or e1 (see Chapter 7.3 Carve-outs), the Assessed Entity and External Assessor must determine how they will perform the necessary testing of those third parties for each applicable requirement statement across the assessment. For guidance on the authorized HITRUST approaches for addressing third parties, see Chapter 12 Reliance & Third-Party Coverage.
11.2.4 The Test Plan should document the populations necessary for sample-based testing and how those will be obtained for each requirement statement. For details around population requirements, see Chapter 11.4 Population & Sampling.
11.2.5 All testing performed by the External Assessor in support of the validated assessment must be conducted in a 90-day period concluding with the Assessed Entity signing the Management Representation Letter (see Chapter 13.8 Management Representation Letter for more details).
11.2.6 External Assessors may conduct fieldwork planning activities, such as scoping, building Test Plans, and preparing/sending documentation request lists, prior to the start of fieldwork. For guidance on evidence utilization during and prior to the fieldwork period, see Chapter 11.3 Working Papers and Evidence.
11.2.7 Prior to the Assessed Entity signing the Management Representation Letter, the External Assessor must agree to all requirement statement scoring within the assessment.
11.2.8 All controls established by the Assessed Entity in support of each of the HITRUST requirement statements must be implemented for a minimum of 90 days prior to testing (i.e., 90-day incubation period). This includes either a newly implemented control or a control remediated due to deficiencies. The control must have been operating in its current state for a consecutive 90 days (or more) before it can be tested as an implemented control.
11.2.9 Policies and procedures within the organization must be implemented for a minimum of 60 days prior to being considered by the External Assessor during the fieldwork period (i.e., 60-day incubation period). As the maximum fieldwork length is 90 days, it is possible for the Assessed Entity to remediate any policy and/or procedure deficiencies identified by the External Assessor within the first 30 days of fieldwork. If remediated within the first 30 days of fieldwork, the policies and/or procedures may be utilized to support scoring after the 60-day incubation period has completed, but prior to the end of the 90-day fieldwork period.
The following is a visual timeline of a newly implemented control.
11.2.10 If the incubation period has not been met as noted in criteria 11.2.8 or 11.2.9, the Assessed Entity must score the requirement statement based on the control state prior to remediation. There is no ability to partially score a requirement statement for meeting less than the full incubation period.