What is a Cybersecurity Control Self-Assessment?

A cybersecurity control self-assessment is a process in which an organization benchmarks its own security practices against established standards. But what does that mean exactly?

In this article, we're going to:

Define some key terms, like "cybersecurity assessment," "control," and "framework."
Look at what financial institution regulatory guidance says about this topic.
Discuss what makes one cybersecurity framework different from another.
Provide five steps to perform a cybersecurity control self-assessment.

Key Terms

Before we get too far into the weeds, let's take a minute to get on the same page.

A cybersecurity control self-assessment is an organization's own review of whether a security control is in place and working as intended. While the term cybersecurity assessment is often used to describe this type of activity, too, it is also used in a broader context to mean things like audits, penetration testing, and vulnerability scans. A cybersecurity control self-assessment is one piece of that bigger picture. They sound the same, but they are not.
A control is a security measure an organization puts in place to prevent, detect, or respond to cybersecurity threats. Controls come in many forms. They can be administrative (like a policy), technical (like encryption), or physical (like a locked door). The term "control" is often used to describe any safeguard or action an organization implements to meet the requirements of a framework.
A framework is a structured set of guidelines, standards, best practices, goals, outcomes, or specific controls. Its purpose is to help organizations protect their data, systems, operations, and people by providing a roadmap for managing common cybersecurity risks.

Regulatory Guidance

The Gramm-Leach-Bliley Act (GLBA) and the resulting Interagency Guidelines Establishing Information Security Standards require financial institutions to:

"Implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities."

Cybersecurity control self-assessments are one way of determining whether these "safeguards" exist and are effective.

FFIEC guidance encourages the use of standardized approaches to perform cybersecurity control self-assessments. According to an August 2019 press release:

"Firms adopting a standardized approach are better able to track their progress over time and share information and best practices with other financial institutions and with regulators. Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness."

In the FFIEC Cybersecurity Assessment Tool (CAT) Sunset Statement, the agencies pointed financial institutions toward "several new and updated government and industry resources" to use as the basis for a cybersecurity control self-assessment, including the NIST Cybersecurity Framework (CSF), CISA Cybersecurity Performance Goals (CPGs), CRI Profile, and CIS Controls.

Framework Structure

With so many frameworks out there, a question we often receive is:

"What makes one framework different from another?"

The short answer is that while all frameworks follow the same structure (i.e., categories > subcategories > controls), what makes one framework different from another is the framework's contents.

Here is a high-level depiction of what a framework's structure looks like.

Every framework largely follows this same pattern, but they use unique category names and content. For example, here's what the NIST Cybersecurity Framework (CSF) Protect function looks like.

Why This Matters: Most cybersecurity frameworks are built from the same pool of common controls and follow a similar structure. The differences come in how those controls are grouped, described, and detailed. There's a lot of overlap, but also some distinctions in scope and focus. Depending on your organization's needs, it may make sense to perform cybersecurity control self-assessments using more than one framework.

How to Perform a Cybersecurity Control Self-Assessment

Here are five steps for performing a cybersecurity control self-assessment.

Step 1: Pick a framework.

Key Question: "Which framework is the best fit for us?"

Choose a framework that provides the right balance of structure and coverage for your organization's size, complexity, risks, and business needs. For more information about picking the right framework, check out our blog: Which Framework Do I Replace the FFIEC CAT With?

Step 2: Set your goals.

Key Question: "How mature do we want our controls to be at this point in time?"

Before you start assessing, it is helpful to determine the level of alignment you want to achieve. Be aware that different frameworks use different terms for these maturity goals. For example, "target status," "maturity levels," "tiers," or "implementation groups." Whatever the wording may be, the most important part is to pick the level that is the best fit for you.

Step 3: Assess your controls.

Key Question: "Are our controls actually doing what we need them to do?"

Once you've set your goals, you can start assessing whether your controls are meeting them.

For example, if you are using the NIST CSF, you would want to look at each outcome and see how well your current controls align with your target status. Let's say you are looking at the control:

PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.

In a small, simple organization, this control might be considered "Fully Implemented" if you have an effective manual process for tracking identities and credentials.
In a large, complex organization, the same control might only be "Fully Implemented" if you have a robust, automated identity and credential management system that's monitored in real time.

This is why the process is considered a self-assessment. It's not always about validating specifics, but instead about helping you find gaps in your control maturity. Speaking of...

Step 4: Review your gaps.

Key Question: "Which controls are impacting our maturity and how can we close those gaps?"

Sometimes your controls are meeting your goals, and sometimes, they aren't. This is where the real value of a cybersecurity control self-assessment shows up. The purpose isn't just to tick boxes; it's to get an accurate picture of where you are now compared to where you want to be.

This process is called a "gap analysis." For each control, compare your current status with your target status, identify where the gaps exist, and make a plan for improvement.

Step 5: Update and monitor.

Key Question: "Are our controls still effective and what adjustments do we need to make?"

A cybersecurity control self-assessment is not a one-and-done activity. The world around your controls is constantly evolving, so a control that was "Fully Implemented" yesterday might not be tomorrow.

Schedule a reminder to review your controls, track changes, and adjust your assessment, as needed. Continuous monitoring ensures your controls continue to keep your cybersecurity posture strong over time.

Next Steps

When performing a cybersecurity control self-assessment, aim for accuracy, not perfection. A cybersecurity control self-assessment is only as good as the honesty and effort you put into it. Pause, reflect, document, and act on what you find. That's how you turn insights into stronger, more resilient controls.

If you'd like some help getting started and finishing strong, check out Tandem Cybersecurity Assessment. Tandem guides you through assessments based on popular frameworks and offers helpful features like notifications, mappings, gap analysis, peer comparisons, and documents, all designed to make your assessment process easier and more effective.