Assurance

NIST defines assurance  as, "grounds for justified confidence that a [security or privacy] claim has been or will be achieved." Assurance is a measure of confidence.

Why Is Assurance A Term GRC Professionals Should Be Familiar With?

Fundamentally, assurance establishes a reasonable level of confidence that a stakeholder can trust security, compliance and/or resilience objectives will be achieved. This takes into consideration the risks associated with non-conformity (e.g., non-compliance) and the anticipated costs necessary to demonstrate conformity with the specified controls.

Assurance is more than just the control set, but the level of rigor that controls are evaluated. Either through internal resources or third-parties, the level of rigor performed in assessing an organization's controls impacts assurance, since defects in those controls affect the underlying confidence in the ability of those controls to operate as intended to produce the stated results. 

Assurance Is More Than Compliance

When done right, assurance should address three key areas of stakeholder concern:

  1. Security - Are the appropriate controls in place to protect the system/initiative/organization from reasonable risks and threats?
  2. Compliance - Do we have reasonable evidence of due diligence and due care to demonstrate compliance with applicable laws, regulations and contractual obligations?
  3. Resilience - Are we capable of withstanding and recovering from reasonable cybersecurity incidents?

Are Certifications A Form of Assurance?

Yes. When organizations go through some form of certification process, it undergoes a conformity assessment (e.g., ISO 27001, CMMC, SCF CAP, SOC 2, PCI DSS, RMF, etc.). Conformity assessments are designed to assure that a particular product, service, or system meets a given level of quality or safety. Instead of a 100% pass criteria, conformity assessments rely on the concept of assurance to establish a risk-based threshold to determine if the intent of the objective(s) has been achieved.​

The degree of assurance a stakeholder gains from a third-party cybersecurity certification is limited by:

  1. The scope of the assessed controls; and
  2. The level of rigor used to perform the assessment.

This means some audits/certifications are not worth the paper they are written on, while others can provide a reasonable degree of assurance.