Assess security controls for the system and its operating environment to determine if they have been implemented correctly and are operating as intended. Furthermore, the review and assessment of opportunities for improvement is necessary to ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security.
In conducting a security assessment, it is important that assessors and system owners first agree to the scope, type and extent of assessment activities, which may be documented in a security assessment plan, such that any risks associated with the security assessment can be appropriately managed. To a large extent, the scope of the security assessment will be determined by the type of system and security controls that have been implemented for the system and its operating environment.
Security control assessment can be performed in two waves: at first, this could be an internal review, delivered by an independent person who was not responsible for implementing the controls. Individuals carrying out these reviews should have the appropriate skills and experience. In a later stage, additional assurance can be obtained by an independent third party review/assessment/audit.
Outcome of the assessment should be documented and reported to the management who initiated the review. Â Any identified issues should be put again to the risk assessment table or security controls registry, including responsible persons and implementation deadlines.