NIST SP 800-115
An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives.
Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing.
- Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
- Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
- Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.
Assessment results are used to support the determination of security control effectiveness over time.
Sybex CISSP Study Guide, 7th Edition
- Security tests verify that a control is functioning properly.
- Security assessments are comprehensive reviews of the security of a system, application, or other tested environment.
- Security audits use many of the same techniques followed during security assessments but must be performed by independent auditors.
In my opinion, ISC2 should follow the definition of NIST and rename the CISSP Domain 6 from “Security Assessment and Testing” to “Security Assessment.” Testing is just one type of the three security assessment methods, while an audit is a security assessment conducted by independent auditors.