Upon concluding assessment activities, assessors will need to determine whether mitigation strategies were implemented effectively or not. This determination requires a combination of judgement and consideration of the following factors:

• adoption of a risk-based approach to the implementation of mitigation strategies
• ability to test the mitigation strategies across an accurate representative sample of workstations (including laptops), servers and network devices
• level of assurance gained from assessment activities and any evidence provided (noting the quality of evidence)
• any exceptions, including associated compensating controls, and whether they have been accepted by an appropriate authority as part of a formal exception process.

Assessors should use the ACSC’s standardised assessment outcomes which are:

• Effective: The organisation is effectively meeting the control’s objective.
• Ineffective: The organisation is not adequately meeting the control’s objective.
• Alternate control: The organisation is effectively meeting the control’s objective through an alternate control.
• Not assessed: The control has not yet been assessed.
• Not applicable: The control does not apply to the system or environment.
• No visibility: The assessor was unable to obtain adequate visibility of a control’s implementation.

Beyond Cyber 101 mentorship into cybersecurity and beyond.