Skip to main content

Assessment Plans

Evaluate and report how compliant your organization is

Damon Jackman avatar
Written by Damon Jackman
Updated over 4 years ago

Overview

Assessment Plans allow you to leverage all of the information that CyMetric holds to evaluate how well your organization meets a Compliance Objective. They identify all Information Systems that implement a selected Compliance Objective and generate a Control Assessment (more information here) for each relevant Control.

Create an Assessment Plan

To create a new Assessment Plan you need to have at least one Information System that has a Compliance Objective mapped to it. Select the Assessments link under Auditing and then Create Plan. Select the Compliance Objective for Plan Type and then the Objective that you want to assess:

Once you have entered a Title, Owner, and Planned completion date for the Assessment Plan CyMetric will present a confirmation screen. Feel free to go back and correct anything that looks wrong at this point. Once the details are confirmed, CyMetric will create the Assessment Plan and generate a Control Assessment for each Control that is required by the Compliance Objective you selected. For example. the Control AC-1 ACCESS CONTROL POLICY AND PROCEDURES is required by New York State Department of Financial Services regulations, so a Control Assessment will be created for each system that both implements NYS DFS and AC-1.

Once the Assessment Plan has been created you can select it from the table, and start work.

Edit an existing Assessment Plan

If you need to edit an existing plan, select the Edit Plan action from the menu:
​

You may edit the plan Title, Owner, and Planned Completion Date but not the Compliance Objective.

Cancel an Assessment Plan

If an Assessment Plan is not going to be completed, it can be cancelled. Select the Options menu and then Cancel Plan. Once you confirm the action the following will happen:

  • All data associated with the Assessment Plan will be made read-only;

  • All Not Started and In-Progress Control Assessments will be deleted (see here for how to close a Control Assessment);

  • All Complete Control Assessments will be kept and can be re-used in other Assessment Plan; and

  • The Assessment Plan will show up as 'Cancelled' in the table.

Complete an Assessment Plan

Once all relevant Controls have been assessed, the Assessment Plan can be marked complete. This enables Reports to be generated, and all information about the Assessment is retained as read-only, so that it can be viewed but not edited.

To finalize an Assessment Plan, select the 'Mark as Complete' button in the top right of the screen. This will do the following:

  • Present a preview of what changes will happen, and require confirmation that you want to proceed.

  • Close all Control Assessments within the Assessment Plan. This makes them read-only and allows them to be reused across other Assessment Plans.

An Assessment Plan can only be marked complete once all related Control Assessments have been edited. If any have not been started then the 'Mark as Complete' button will be disabled.

Did this answer your question?