Skip to main content

IAO-02: Assessments

IAO 10 — Critical Protect

Mechanisms exist to formally assess the cybersecurity and data protection controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.

Control Question: Does the organization formally assess the cybersecurity and data protection controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements?

General (44)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC4.1 CC4.1-POF8 CC6.1-POF2
COBIT 2019 BAI03.08
COSO 2017 Principle 16
ENISA 2.0 SO23
GovRAMP Low CA-02
GovRAMP Low+ CA-02
GovRAMP Moderate CA-02
GovRAMP High CA-02
ISO/SAE 21434 2021 RQ-05-17 RQ-06-24 RQ-06-25 RQ-06-26 RQ-06-27 RQ-06-28.a RQ-06-28.b RQ-06-29
ISO 27002 2022 5.21 5.23 8.29
ISO 27017 2015 14.2.8
ISO 31010 2009 5.3.2
ISO 42001 2023 A.6.2.5
MITRE ATT&CK 10 T1190, T1195, T1195.001, T1195.002, T1210
NIST AI 100-1 (AI RMF) 1.0 MEASURE 2.0
NIST 800-37 R2 A-1
NIST 800-39 3.2
NIST 800-53 R4 CA-2
NIST 800-53 R4 (low) CA-2
NIST 800-53 R4 (moderate) CA-2
NIST 800-53 R4 (high) CA-2
NIST 800-53 R5 (source) CA-2
NIST 800-53B R5 (privacy) (source) CA-2
NIST 800-53B R5 (low) (source) CA-2
NIST 800-53B R5 (moderate) (source) CA-2
NIST 800-53B R5 (high) (source) CA-2
NIST 800-82 R3 LOW OT Overlay CA-2
NIST 800-82 R3 MODERATE OT Overlay CA-2
NIST 800-82 R3 HIGH OT Overlay CA-2
NIST 800-161 R1 CA-2
NIST 800-161 R1 C-SCRM Baseline CA-2
NIST 800-161 R1 Level 2 CA-2
NIST 800-161 R1 Level 3 CA-2
NIST 800-171 R2 (source) 3.12.1
NIST 800-171 R3 (source) 03.12.01
NIST CSF 2.0 (source) ID.IM-01 ID.IM-02 ID.RA-01
TISAX ISA 6 5.3.1
UN R155 7.3.6
UN ECE WP.29 7.3.6
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IAO-02
SCF CORE ESP Level 1 Foundational IAO-02
SCF CORE ESP Level 2 Critical Infrastructure IAO-02
SCF CORE ESP Level 3 Advanced Threats IAO-02
SCF CORE AI Model Deployment IAO-02
US (27)
Framework Mapping Values
US CERT RMM 1.2 RISK:SG3.SP1
US CISA CPG 2022 1.F 2.Q
US CMMC 2.0 Level 2 (source) CA.L2-3.12.1
US CMMC 2.0 Level 3 (source) CA.L2-3.12.1
US CMS MARS-E 2.0 CA-2
US DFARS Cybersecurity 252.204-70xx 252.204-7020(c) 252.204-7021(b)
US FedRAMP R4 CA-2
US FedRAMP R4 (low) CA-2
US FedRAMP R4 (moderate) CA-2
US FedRAMP R4 (high) CA-2
US FedRAMP R4 (LI-SaaS) CA-2
US FedRAMP R5 (source) CA-2
US FedRAMP R5 (low) (source) CA-2
US FedRAMP R5 (moderate) (source) CA-2
US FedRAMP R5 (high) (source) CA-2
US FedRAMP R5 (LI-SaaS) (source) CA-2
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(8)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(8)
US HIPAA HICP Large Practice 9.L.C
US IRS 1075 CA-2
US NISPOM 2020 8-610
US TSA / DHS 1580/82-2022-01 III.F.2.b
US - MA 201 CMR 17.00 17.03(2)(h)
US - OR 646A 622(2)(B)(i) 622(2)(B)(ii) 622(2)(B)(iii) 622(2)(B)(iv)
US - TX DIR Control Standards 2.0 CA-2
US - TX TX-RAMP Level 1 CA-2
US - TX TX-RAMP Level 2 CA-2
EMEA (8)
Framework Mapping Values
EMEA EU AI Act 9.8
EMEA EU EBA GL/2019/04 3.4.6(41) 3.4.6(42) 3.4.6(43) 3.4.6(43)(a) 3.4.6(43)(b) 3.4.6(44) 3.4.6(45) 3.4.6(46) 3.4.6(47) 3.4.6(48) 3.6.2(70) 3.6.2(71)
EMEA EU NIS2 Annex 6.5.2(a) 6.5.2(b)
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 7.11
EMEA Israel CDMO 1.0 10.6 16.5 17.2 17.16 17.18
EMEA Qatar PDPPL 11.1 11.2
EMEA Saudi Arabia IoT CGIoT-1 2024 2-15-2 4-1-5 4-2-3 4-2-4
EMEA UK DEFSTAN 05-138 1205
APAC (8)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0100
APAC China Cybersecurity Law 35
APAC India SEBI CSCRF PR.AA.S16
APAC Japan ISMAP 14.2.8
APAC New Zealand HISF 2022 HHSP68 HML67 HSUP59
APAC New Zealand HISF Suppliers 2023 HSUP59
APAC New Zealand NZISM 3.6 4.2.10.C.01 4.3.20.C.01 4.3.20.C.02 4.3.20.C.03 6.3.8.C.01
APAC Singapore MAS TRM 2021 5.7.1 5.7.2
Americas (3)
Framework Mapping Values
Americas Bermuda BMACCC 5.14
Americas Canada OSFI B-13 2.4.4
Americas Canada ITSP-10-171 03.12.01

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to formally assess the cybersecurity and data protection controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.

Level 1 — Performed Informally

Information Assurance (IA) is ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Pre-production security testing is decentralized.
  • IT personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/ or contractual requirements for pre-production cybersecurity and data protection control testing.
Level 2 — Planned & Tracked

Information Assurance (IA) is requirements-driven and governed at a local/regional level, but not consistently across the enterprise. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for pre-production cybersecurity and data protection control testing.
  • IT personnel implement and maintain an established a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/ or contractual requirements for pre-production cybersecurity and data protection control testing.
  • IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined

Information Assurance (IA) is standardized across the enterprise and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Cybersecurity personnel implement and maintain an established Information Assurance Program (IAP) capability to conduct “business as usual” pre-production cybersecurity and data protection control testing focused on the concept of “security and data protection be design and by default.”
  • The IAP validates that systems/applications/services/processes are both secure and compliant.
  • A Governance, Risk & Compliance (GRC) function, or similar function, facilitates the implementation of cybersecurity and data protection controls to ensure that secure engineering practices are designed and implemented throughout the lifecycle of Technology Assets, Applications and/or Services (TAAS) both internal and external to the organization.
  • A Project Management Office (PMO), or project management function, ensures project involvement for IAP as part of the organization's established project management processes.
  • A Plan of Action and Milestones (POA&M) or similar mechanism, exists to document planned remediation actions to correct weaknesses or deficiencies noted during the assessment of the security controls, helping to reduce or eliminate known vulnerabilities.
  • Administrative processes prevent systems/applications/services/processes from “going live” in a production environment without first going through the IAP process.
  • The IAP uses a tiered approach to conformity testing, based on (1) the sensitivity of data that is stored, processed and/ or transmitted and (2) the criticality of the system/application/service/process.
Level 4 — Quantitatively Controlled

Information Assurance (IA) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in the review process for proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to formally assess the cybersecurity and data protection controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.

Assessment Objectives

  1. IAO-02_A01 the frequency at which to assess controls in the system and its environment of operation is defined.
  2. IAO-02_A02 individuals or roles to whom control assessment results are to be provided are defined.
  3. IAO-02_A03 an appropriate assessor or assessment team is selected for the type of assessment to be conducted.
  4. IAO-02_A04 a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment.
  5. IAO-02_A05 a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness.
  6. IAO-02_A06 a control assessment plan is developed that describes the scope of the assessment, including the assessment environment.
  7. IAO-02_A07 a control assessment plan is developed that describes the scope of the assessment, including the assessment team.
  8. IAO-02_A08 a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities.
  9. IAO-02_A09 the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.
  10. IAO-02_A10 security critical or essential software, firmware and hardware components for which to verify correctness are defined.
  11. IAO-02_A11 verification methods or techniques are defined.
  12. IAO-02_A12 the correctness of security critical or essential software, firmware and hardware components is verified using verification methods or techniques.
  13. IAO-02_A13 controls are assessed in the system and its environment of operation per an assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established security requirements.
  14. IAO-02_A14 controls are assessed in the system and its environment of operation per an assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established privacy requirements.
  15. IAO-02_A15 a control assessment report is produced that documents the results of the assessment.
  16. IAO-02_A16 the results of the control assessment are provided to individuals or roles.

Evidence Requirements

E-IAO-03 Pre-Production Controls Testing

Documented evidence of pre-production cybersecurity & data protection controls testing to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.

Information Assurance

Technology Recommendations

Micro/Small

  • Controls Validation Testing (CVT)

Small

  • Controls Validation Testing (CVT)

Medium

  • Controls Validation Testing (CVT)
  • Information Assurance (IA) program
  • VisibleOps security management

Large

  • Controls Validation Testing (CVT)
  • Information Assurance (IA) program
  • VisibleOps security management

Enterprise

  • Controls Validation Testing (CVT)
  • Information Assurance (IA) program
  • VisibleOps security management

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free