SteelToad has been conducting assessments for over 14 years. After the Assessment Plan has been created and accepted, the Assessment will begin, and our team will go through the process of obtaining evidence to show the organization’s “evidence” of meeting the security control standards.
The data collected is called “Evidence,” which is the information or “proof” collected to determine if the organization is meeting the standards set forth in each specific security control standard. Specifically, Evidence must demonstrate and prove that the process and functionality adequately meet the requirement as defined in the security control. The process will not be the same in every environment; however, the system Evidence must show that the security control is satisfied. The Evidence provided must be both adequate and sufficient.
SteelToad’s assessors are seeking to examine if the Evidence submitted accurately meets the standards of the security control AND if it is the correct Evidence to demonstrate to our team that the organization is fully meeting the security control standard.
Evidence will be gathered using various methods (determined by the organization), and our assessors are going to assess whether the information is relevant, accurate in representing compliance with the security control standard, and a complete representation of the organization’s compliance with the security control.
