Assessment type: Internal or External
Internal Assessment
Internal assessments are self-contained within the same instance. In this assessment, the Requestor and the Responder are likely to be the same person, and the Reviewer is the Internal Auditor.
- Pre-Sales Security Assessment - The sales team completes a questionnaire to evaluate security capabilities and gaps prior to partnering with a new MSP. The CISO reviews the assessment.
- Audit Program Self-Assessment - Internal audit completes questionnaire on the execution of IA plan and IIA standards adherence.
- Control Self-Assessments: Employees responsible for certain processes complete questionnaires to evaluate if key controls are functioning as intended.
- Use Case: The Accounts Payable manager performs periodic self-assessments of invoice processing and payment controls. The auditor reviews the assessment results.
- Policy Attestations: Employees review and acknowledge awareness of new or updated organizational policies.
- Use Case: All employees must complete the annual Code of Conduct policy attestation. Compliance tracks completion.
- Risk Culture Surveys: Anonymous surveys gather employee feedback on topics like ethical behaviors, risk appetites, and "tone from the top".
- Use Case: The risk team surveys employees annually on risk culture, with results analyzed by Internal Audit.
- Business Continuity Testing: Departments assess readiness to maintain critical operations during a disruption.
- Use Case: The IT team completes a self-assessment of the disaster recovery plan each quarter.
- Control Design Testing: Process owners validate that process documentation matches actual procedures and controls.
- Use Case: The purchasing team tests the alignment of the documented procurement policy to current purchasing processes.
Ostendio provides the tools to easily create, distribute, complete, and analyze internal assessments for various use cases. The requestor, responder, and reviewer roles can be configured as needed.
External Assessment
External assessments take place between two instances. In external assessments, the Requestor and the Reviewer are likely to be the same, and the Responder will be within the other instance.
- Annual Vendor Security Assessment - Infosec requests MSP partner complete security questionnaire annually to review controls.
- External Quality Assessment - External auditor is granted access to complete assessment of internal audit's quality and IIA conformance every 5 years.
- Vendor Risk Assessments: Review security, privacy, and operations controls for third-party vendors.
- Use Case: The procurement team requests an assessment of all cloud software vendors to evaluate data protection controls.
- Customer Audits: Allow customers to review compliance controls for industry standards or regulations.
- Use Case: An e-commerce company completes an annual audit of the payment processor's PCI-DSS compliance controls.
- Acquisition Due Diligence: Assess the effectiveness of internal controls, compliance, and risk management.
- Use Case: A company planning an acquisition reviews financial, legal, and operational controls of the target organization.
- Partner Risk Assessments: Review key policies, processes, and controls for partners and strategic alliances.
- Use Case: A biotech firm exchanges cybersecurity practices with a partner to ensure aligned controls.
- Investor Due Diligence: Share information on governance and risk management practices with potential investors.
- Use Case: A start-up undergoing Series A funding provides an overview of financial controls to interested VCs.
The Ostendio platform allows organizations to configure external review processes, including assessments, evidence collection, and report generation. In the external assessment process, the requestor and reviewer typically belong to the organization requesting the assessment, while the responder is from the external entity being assessed.