Does Your Assessor Do These 3 Things When Collecting Evidence?

When it comes to compliance reporting it’s important to have an assessment partner that is just as invested in your organization’s success as you are. A generic list of evidence artifacts doesn’t properly address your organization’s unique concerns and security needs, leading to a compliance report that is lacking in the essential information your clients are looking for. 

If your assessor doesn’t do the following, it’s time to start thinking about whether they are providing the appropriate services to help you meet your compliance goals. 

1. Did your assessor discuss the scope of your assessment with you? Do they know which requirements your organization has deemed non-applicable based on your unique needs? For example, if your organization is undergoing a SOC 2® assessment, did your assessor discuss the Trust Services Criteria with you to get a better understanding of which of the criteria needs to be examined under the scope of your business practices? 
2. Did your assessor take the time to develop a thorough understanding of your business practices, your industry, services offered, tech stack, etc.? Receiving a generic or templated report as quickly as possible doesn’t help support your long-term security goals and could be invalidated – possibly duplicating efforts requiring additional time and adding to the cost.
3. Did your assessor request information about your organization’s specific controls and the implementation of your cybersecurity practices? Your organization’s control catalog is not determined by your assessor. You maintain control and ownership of your chosen control catalog, not your assessor, regardless of report type.