An information security assessment is
|“||the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person mdash; known as the assessment object) meets specific security objectives.||”|
Three types of assessment methods can be used to accomplish this:
- Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
- Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
- Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.