Stage 1: Assessment planning and preparation

Assessment planning

Prior to commencing an assessment, the assessor should conduct assessment planning activities. These activities require the assessor to discuss with the system owner:

• system classification and assessment scope (see further detail below)
• access to low and high-privileged user accounts, devices, documentation, personnel, and facilities
• intended assessment approach and any approvals required to run scripts and tools (see further detail below)
• evidence collection and protection, including any requirements following the conclusion of the assessment
• where the security assessment report will be developed (e.g. on an assessor’s device or on an alternative device)
• approach to stakeholder engagement and consultation (including key points of contact)
• whether any managed service providers or other outsourced providers manage any aspects of the system (including appropriate points of contact)
• access to any relevant prior security assessment reports for the system
• appropriate use, retention and marketing of the security assessment report by both parties.

Beyond Cyber 101 mentorship into cybersecurity and beyond.