This page is provided to Rational Cybersecurity for Business readers desiring more detailed information about security assessments than the book offers. Most likely if you came here via the book route you have read chapter 6, “Establish a control baseline.” Chapter 6 discusses the use of security assessments to help security leaders define a minimum viable control baseline and implementation road map. This site provides the following additional content resources.

  • Why are security assessments important?
  • What is a security assessment?
  • Security Architects Partners assessment services and portfolio

Why are Security Assessments Important?

Businesses seeks security assessments for a variety of reasons

  • Regulatory authorities mandate a standards-based assessment (e.g., NIST CSF assessment)
  • Corporate Board requires an independent assessment to make sure the security program’s on track
  • New CISO wants a security assessment when starting the new role
  • Needed for merger or acquisition process
  • Full or partial (domain-specific) assessment desired to point a major security project in the right direction

Doing a security assessment at least once every two or three years (or even annually) is a matter of good practice.

What is a Security Assessment?

Security assessments are periodic reviews or exercises that check your organization’s security controls, policies, and capabilities against security risks, requirements, or objectives. Security assessments can be performed by gathering information through staff interviews and performing risk analyses and control analyses. Therefore, the security assessment has a broader focus than an automated technical vulnerability assessment and in fact uses available vulnerability information as a source of data.

You can conduct security assessments internally with help from your IT team, or through a third-party assessor. Third-party security assessments, though more costly, are useful if serious risks or control gaps are present, or if you lack staff experienced in performing assessments. Third party assessments can also provide an independent perspective uncolored by the kind of defensive or insular perspective employees may bring to the table when they assess themselves and other staff working for the business.

The following Figure describes the typical process for performing a security assessment and using it to help create recommendations and roadmap.

Security Architects Partners Assessment Services and Portfolio

Security Architects Partners can perform third party assessments, or assist companies by providing questionnaires and tools that support staff performing internal assessments.