Overview
A Control Assessment is carried out to evaluate how effectively your organization implements a specific security control. An Assessment Plan will usually contain many Control Assessments, one for each Security Control that is required by the target Compliance Objective. A Control Assessment contains information about how your organization has configured the control, what standards need to be met, and what assessment methods should be used, leading to an overall rating.
Within the Control Assessment view, there are four main components:
Assessment: this is where the Assessor captures their evaluation.ย
Findings: any adverse Findings that have been identified.
Specification: how the Control should be assessed
Control Details: information about how the Control is configured by your organization.
Edit Control Assessment
Select 'Edit Assessment' from the options menu on the Assessment. From the following view you can edit:
Assessment Method and Object: select all the activities that were carried out to assess the control
Overall Rating: select one of the options to specify how compliant your organization is with the requirements.
Overall Rating Rationale: describe why the overall rating was chosen and any other salient information.
Add Finding: add any adverse Findings using this action (for more details see here).
Add Document: from here you can add links to any relevant documents. Note that you cannot at this time upload documents to CyMetric, but you can specify a link to where the document stored on your own system.
Until the Control Assessment is Closed it remains editable, so feel free to record evidence and interim notes as you go because you can return and change it in the future.
Close Control Assessment
Once a Control Assessment is Closed is is read-only and may not be edited. In some cases it may be useful to close an individual Control Assessment, which can be done by selecting Close Assessment from the options menu. Note that you cannot close an Assessment that has not yet been started.