In the first part of this series I focused on the best practices of understanding the intent of the assessment, the value that a dedicated project manager will add to the effort, and the importance of selecting the right firm. In the second part I will focus on the best practices of selecting the right framework, preparation of materials, and presentation of materials. These efforts are discussed separately however they are tightly coupled and rely heavily on good communication.
Preparing for an information security assessment is a daunting challenge – especially if previous assessments were not handled well. In most cases, adequate preparation and a mindset geared towards getting an honest assessment of the current state will yield significant benefits for the organization only if sufficient effort is spent on delivery.
Great teams sometimes fail because of a lack of delivery management. This is as true for an information security assessment as it is for a development project. In fact, some may argue that it is truer of an assessment because of the finality and timing of the final report versus the iterative nature of many development projects.