Recently completed audits and/or assessments covering some or all control areas included in the scope of a HITRUST validated assessment can possibly be leveraged (relied upon or inherited) by the External Assessor. Reliance on the results of such efforts can benefit the Assessed Entity as well as the External Assessor, as duplicative assessment-related requests and interviews can be minimized.
The decision to rely on the work of others lies solely with the External Assessor, as the External Assessor is ultimately accountable for validating an Assessed Entity’s implementation of the HITRUST CSF. When using the work of others, the External Assessor should take care to design a validated assessment testing strategy that ensures they are still sufficiently involved in the validated assessment. When designing the testing strategy, the External Assessor must understand what reliance/inheritance capabilities are possible for all third parties in scope of the validated assessment.
12.1.1 The Assessed Entity and/or External Assessor must identify all in-scope third-parties during validated assessment planning and determine the testing strategy for the corresponding third-party prior to fieldwork.
12.1.2 When an Assessed Entity and/or External Assessors is unable to utilize the below testing approaches to obtain coverage of the in-scope third party, scoring in the assessment must reflect that those requirement statements were not compliant for the corresponding third-party.
12.1.3 For the i1 and e1 assessment types, Assessed Entities have the ability to carve out third-parties from the scope of the assessment. This must be properly documented within the organization and overview section of the report. For more information, see Chapter 7 Scoping the Assessment.
12.1.4 Assessed Entities should adopt policies requiring their third-parties to maintain each of the relevant HITRUST requirements within the CSF framework.
HITRUST recognizes four distinct strategies which can be used by an External Assessor to approach testing of third-parties: