This document provides guidance on assessing security controls in information systems and organizations. Security controls assessment is the primary mechanism to verify that information systems and organizations are meeting their stated security goals and objectives. (400 Pages)
The assessment results provide senior managers with:
- Evidence about the effectiveness of security controls in organizational information systems;
- An indication of the quality of the risk management processes employed within the organization; and
- Information about the strengths and weaknesses of information systems which are supporting organizational missions and business functions in a global environment of sophisticated and changing threats.