The assessment of the organizations will be performed in two phases, intended to minimize the workload on organizational resources.

1. First, a broad applicability determination will be used to determine what control families/controls are appropriate for assessment. As an example, if no internal application development is performed then no further information will be requested. Similarly if there is an area of concern, data destruction for example, then that area will be given extra focus (within reason).
2. Next, each control family will be assessed by using a combination of questionnaire, interviews and existing document review. We expect that the bulk of the process will be conducted by remote (video conference) interview for this first assessment effort. The full list of areas that will be assessed is included as “Control Families and Controls”.