Skip to main content

Types of Assessments

Updated Jan 30, 2024 ·

Internal Assessments

An in-depth analysis to identify and assess potential risks and vulnerabilities in an organization's information systems.

  • Often performed before implementing new systems or before making any changes to existing ones.
  • Identify gaps in an organization's compliance efforts and to prepare for formal audits.
  • Most are conducted as Self-assessments - conducted to gauge adherence to standards and regulations.

Assessment Process

  1. Conducting threat modelling exercise to identify potential threats.
  2. Combination of automated tools and manual testing techniques are used to assess vulnerabilities.
  3. Risks assessment, for evaluating potential impact of the identified threats and the cost of implementing security measures.
  4. Mitigation strategies are recommended based on the assessment results

Example of Self Assessment Questionnaire

Below is an excerpt from the Self-Assessment Questionnaire provided by Cyber Security Agency of Singapore. The full questionnaire can be found here.

External Audits and Assessments

External Audits

External Audits are systematic evaluations carried out by external entities to assess an organization's information systems and security controls.

  • Provides an objective perspective to an organization's true security posture.
  • Also covers data protection, network security, access controls, and incident response.
  • Uncover deficiencies in policies and controls to ensure alignment with diverse regulatory standards.
  • Example: Evaluating compliance with PCI DSS, HIPAA, GDPR, etc.

External Assessments

Detailed analysis conducted by independent entities to identify vulnerabilities and risks.

  • Involves combinations of automated scanning tools and manual testing techniques.
  • Risk Assessment, Vulnerability Assessment, and Threat Assessment.

Regulatory Compliance

Objective that organizations aim to reach in adherence to applicable laws, policies, and regulations.

  • Organizations are adopting the use of consolidated and harmonized set of compliance controls.
  • Adherence to industry-specific requirements like HIPAA, PCI DSS, and GDPR.
  • Controls, such as NIST Cybersecurity Framework for compliance mechanisms.

Independent Third-Party Audit

Offers validation of security practices, fostering trust with customers, stakeholders, and regulatory authorities.

  • Provides an unbiased perspective of the organization's security posture.
  • Identify potential weaknesses that might be overlooked in internal audits and assessments.
  • Regulations include GDPR and PCI DSS.

Example of HIPAA Audit Checklist

Below is an excerpt from the HIPAA Audit Checklist provided by San Bernardino County.