Vulnerability testing should never be performed on client systems by an external assessor.

HITRUST requires independent validation of security controls, and vulnerability testing is a critical part of that process. External assessors are expected to review vulnerability management programs and may conduct their own independent vulnerability testing to validate results. While many organizations perform internal scans, assessors may request additional testing or re-scans if evidence is insufficient. The notion that external assessors should “never” perform such testing is incorrect. In fact, the assurance program allows assessors to conduct testing directly, provided it is within agreed scope and does not disrupt production systems. This ensures the assessor can independently verify that vulnerabilities are managed appropriately and controls are functioning as intended.