What it is
An Assessment is an activity used to evaluate the security, risk, or effectiveness of an organization, system, or process.
Assessments can be broad or narrowly focused. They are used every day by IT, security, and risk teams to understand current state and identify weaknesses.
An Audit is a formal type of assessment performed to determine whether defined requirements are met.
In FutureFeed, the outcomes of these activities are organized and tracked as Assessments and Audits.
Assessments vs Audits
All audits are assessments. Not all assessments are audits.
Assessments vary in scope and purpose. Some are exploratory or operational. Others are formal and authoritative.
Audits are distinguished by:
- Defined criteria
- Formal conclusions
- Independence or credentialed authority
- Clear consequences or attestations
Audits may be performed by credentialed internal resources or by independent third parties.
Types of assessments
Assessments are commonly performed at different levels of scope.
Broad assessments evaluate overall posture or readiness, such as:
- Annual IT or security assessments
- Risk assessments
- Control or program assessments
- Readiness assessments
Focused assessments evaluate specific areas or controls, such as:
- Vulnerability scans
- Penetration tests
- Configuration reviews
- Targeted technical assessments
Both broad and focused assessments are valid forms of assessment. They answer different questions and may be performed on different schedules.
Vulnerability scans and penetration tests
Vulnerability scans and penetration tests are focused security assessments.
- A vulnerability scan is typically an automated assessment used to identify potential weaknesses.
- A penetration test is typically a human-led assessment used to evaluate exploitability and impact.
These assessments may stand alone, be repeated regularly, or be included as part of a broader assessment or audit.
How FutureFeed organizes assessment results
In FutureFeed, each assessment or audit is represented as a documentation item that describes the activity being performed.
The reports and outputs generated each time the assessment or audit is completed are treated as process artifacts.
Those artifacts can be attached to the assessment or audit documentation item and reviewed over time.
Example
An organization may create an assessment called Annual IT Assessment.
Each year:
- The assessment is performed
- A report is generated
- That report is uploaded as a process artifact
- When reviewed and accepted, the artifact becomes evidence
This allows the organization to track the assessment consistently over time while retaining year-by-year results.
Why assessments and audits exist
Organizations use assessments and audits to:
- Understand security and risk
- Identify gaps and weaknesses
- Measure effectiveness
- Support decision-making
- Demonstrate accountability
They support improvement and governance, not just compliance.
What assessments and audits review
Assessments and audits may review:
- Policies and plans
- Processes and procedures
- Configurations
- Assessment results (including scans and pen tests)
- Artifacts and evidence
- Interviews or walkthroughs
The purpose is evaluation and understanding.
What assessments and audits produce
Assessments and audits typically produce:
- Findings
- Identified gaps
- Risk statements
- Conclusions
- Recommendations
Their reports are retained as records and reviewed over time.
Common confusion
In practice, people often use the terms scan, assessment, and audit interchangeably. This is common and understandable.
In FutureFeed:
Assessments are the category used to organize evaluation activities
Audits are formal assessments
Reports are Process Artifacts attached to assessments or audits
Reviewed Artifacts (reports) become Evidence
The distinction allows results to be tracked clearly and consistently over time.