Assessments create insight
Assessments provide data on how well your organization implements the Controls it needs to be compliant. Often Assessments are carried out by Assessors, who are specialists in evaluating the effectiveness of security controls, so we refer to them in this article.
Assessment Plans
An Assessment Plan organizes the assessment of all Controls that are required by a specified Compliance Objective. If multiple Information Systems implement the same objective then all related Controls will be included for assessment (more information available here).
For more information on how to set up an Assessment Plan go here.
Control Assessments
A Control Assessment is the information that an Assessor reviews and records to evaluate a Control Instance (more info on Control Instances here). This includes:
The configuration of the Control as it applies to a specific Information System;
The Assessment Specification, which states how the Control should be assessed; and
The assessment details, including an overall rating and any negative Findings.
More information on Control Assessments is available here.
Assessment Reports
Once all the Control Assessments in an Assessment Plan are complete, the Plan can be closed. This makes all of the data related to the Assessment Plan, including all Control Assessments, read-only and not editable. You can then generate a Report to summarize all of the information captured in the Assessment Plan. This includes a summary for the executive team, and full details of any issues that need to be addressed.
More about Assessment Reports is available here.
If you want to take a tour of the Assessments process click here.