Rating on documentary evidence

Assessment of the security program

The Assessment is a rating of the level of cybersecurity that, like the qualification, is focused on services, occupying an intermediate position between self-assessment and qualification. The former is carried out directly by the provider and without any type of verification, and the latter is awarded after a rigorous auditing process and has monitoring mechanisms in place.

The Assessment and Controls Framework

Our Assessment service has as its starting point the complete control framework of LEET Security, in its 14 domains and with the 5 levels that characterize our rating, and like this, it begins with the completion of the self-assessment using the tool E-Qualify, in which all the questions corresponding to the level selected as objective must be completed, identifying the evidence and / or indicating the way in which compliance with the controls that have been marked is carried out.

Documentary evaluation

We request and evaluate the documentation referring to:

  • Policies: high-level description regarding the protection of the organization and its assets, as well as incident management

  • Standards or guides: implementation of the policies to define how and where to carry out the actions, with precise instructions.

  • Procedures: describe how to execute the different processes in accordance with current regulations.

Based on this documentary support, our auditors evaluate the design of the controls and security measures, but not their correct operation, although it will also be verified that the execution of a sample process is carried out in accordance with the procedures established for the same. This method is similar to the one used for Type I reports according to the ISAE 3402 / SSAE 16 methodology.

Clients must ensure that the documentation provided is formally approved and communicated in the organization.

With this documentary review, a high degree of reliability is conferred on the result of the Assessment, which is granted for the three dimensions of Confidentiality, Integrity and Availability, and it is considered that it has a validity of 12 months, since the rapid evolution of the environment of Cybersecurity requires the continuous review of the practices used in protection.

The results report can be used by those evaluated as a way of accrediting the level of security in the provision of their services, although without the full guarantee of a complete audit and supervision provided by the Rating, but providing a high level of trust, based on verification of the organization's security policies and procedures.