Stage 2: Determination of assessment scope and approach
Description
Stage 2: Determination of assessment scope and approach
Determine assessment scope
In determining the assessment scope, assessors should first clarify the target maturity level with the system owner, noting that the Essential Eight is required to be implemented and assessed as a package. For example, if a system owner has not previously had an assessment demonstrating that they have implemented Maturity Level One, they should not begin an assessment against Maturity Level Two until they have done so, and likewise for Maturity Level Two before being assessed against Maturity Level Three.
Having identified a suitable target maturity level, the assessor should familiarise themselves with the requirements for that maturity level as it will impact the components or aspects of the system within scope of the assessment. At this time it may also be useful to request an approximate percentage breakdown of the operating systems used on workstations and servers for the system.
Beyond Cyber 101 mentorship into cybersecurity and beyond.