How do I prepare for a Level 2 external assessment?

Answer

Prepare through scope definition, documentation compilation, internal pre-assessment, deficiency remediation, personnel training, evidence organization, and facility readiness coordination.

Level 2 external assessment is comprehensive evaluation of security controls by accredited third-party assessors. Unlike Level 1 self-assessment, Level 2 involves experienced security professionals examining your security implementations, interviewing personnel, reviewing documentation, and testing controls.

Thorough preparation significantly improves assessment outcomes and reduces likelihood of finding major deficiencies. Understanding what assessors evaluate and how to prepare helps executives ensure their organizations are ready for formal assessment.

Assessment Scope Definition

External assessments evaluate security controls for systems handling specified information. Boundary definition clearly identifies which systems, networks, facilities, and organizational units are in assessment scope—only systems processing, storing, or transmitting specified information must meet full CPCSC requirements.

System inventory documents all in-scope systems, applications, network devices, databases, and infrastructure components. Information flow analysis traces how specified information moves through environment to ensure all systems touching specified information are included. Organizational scope includes business units, locations, and personnel involved in specified information handling.

Documented scope prevents disputes during assessment about what should be evaluated and ensures assessors examine appropriate systems. Organizations should complete scope definition well before assessment (months in advance) to allow adequate preparation time. Scope should be reviewed with preliminary assessors or consultants to verify accuracy and completeness.

Required Documentation

Assessors will review extensive documentation demonstrating security control implementation. The following items are typically required:

• System security plan describes security control implementations for each system handling specified information—comprehensive document addressing all applicable ITSP.10.171 requirements
• Security policies and procedures governing security practices across the organization
• Risk assessment documenting identified risks to specified information and implemented risk mitigation measures
• Organization-defined parameters (ODPs) specifying values for assignment and selection operations in ITSP.10.171 requirements
• System component inventory listing all hardware, software, and network components
• Network diagrams showing system architecture, security zones, and boundary protections
• Data flow diagrams illustrating how specified information moves through systems
• Security assessment results from internal assessments and vulnerability scans
• Incident response plan and evidence of testing
• Business continuity and disaster recovery plans
• Training records demonstrating personnel received required security training
• Background check documentation for personnel accessing specified information
• Change management records showing security change control
• Audit logs demonstrating logging and monitoring implementation

Organizations should compile documentation packages organized by security control family to facilitate assessor review.

Internal Pre-Assessment

Organizations should conduct thorough internal assessments before external assessment. This internal review should include the following activities:

• Gap analysis compares current implementations against all ITSP.10.171 requirements, identifying deficiencies
• Control testing verifies that documented controls actually work as intended through technical testing, interviews, and evidence review
• Vulnerability scanning identifies technical vulnerabilities in systems
• Configuration audits verify systems match security baselines
• Documentation review ensures policies, procedures, and system security plans are complete, current, and accurate
• Mock interviews practice answering typical assessor questions with key personnel
• Evidence collection gathers and organizes evidence demonstrating control effectiveness

Remediation of identified gaps before external assessment prevents findings—better to discover and fix issues internally than during external assessment. Organizations may engage external consultants to conduct pre-assessments, providing independent perspective similar to actual assessment.

Pre-assessment should occur 3-6 months before planned external assessment, allowing time to remediate findings.

Remediation of Deficiencies

Pre-assessment typically identifies gaps requiring remediation. Organizations should approach remediation systematically:

• Prioritization focuses remediation on highest-risk gaps and those required for compliance
• Quick wins address easily remediated gaps first to build momentum and reduce overall deficiency count
• Technical remediation implements missing security controls, patches vulnerabilities, and hardens configurations
• Policy and procedure development addresses documentation gaps
• Training addresses personnel security and awareness deficiencies
• Evidence collection creates documentation demonstrating control effectiveness
• Verification testing confirms remediation was effective
• Plan of Action and Milestones (POA&M) documents remaining gaps that can't be fully remediated before assessment, explaining interim compensating controls and planned remediation

Organizations should be realistic about what can be accomplished before assessment—attempting to remediate everything simultaneously may result in rushed, ineffective fixes. Focus on most critical gaps and document planned remediation for others.

Preparing Personnel

Assessors will interview personnel at various levels to verify security understanding and control effectiveness. The following preparation activities are recommended:

• Executive briefing prepares senior management to discuss security program governance, resource allocation, risk management approach, and commitment to security
• Security personnel training ensures security team can articulate control implementations, explain technical details, demonstrate tools and processes, and answer assessor questions confidently
• System administrator preparation for personnel managing systems to explain configuration management, patching, monitoring, and incident response
• End-user training so general personnel can describe security awareness, acceptable use policies, incident reporting, and specified information handling
• Interview coaching on answering assessor questions honestly and completely without volunteering unnecessary information that might create confusion
• Practice sessions simulating assessor interviews identify personnel who need additional preparation

Organizations should identify in advance which personnel assessors will interview and ensure they're available during assessment period.

Physical and Technical Readiness

Assessment logistics require preparation. Organizations should ensure the following elements are in place:

• Facility access for assessors to visit physical locations, access server rooms, and observe physical security controls
• Workspace providing assessors with private space for interviews, document review, and team coordination
• System access allowing assessors to examine system configurations, review logs, and observe security tool operation—prepare temporary assessor accounts with appropriate access
• Tool availability ensuring security tools (SIEM, vulnerability scanners, EDR, etc.) are operational and can demonstrate functionality
• Network access for assessors to connect to network for testing—secure separate network segment if possible
• Documentation availability with all required documents organized and accessible, preferably in electronic format
• Technical demonstration capability to show assessors how controls work rather than just describing them

Organizations should treat assessment period as critical business event requiring dedicated support rather than expecting business-as-usual operations to accommodate assessors.

Evidence Management

Assessors evaluate control effectiveness based on evidence, not just assertions. The following types of evidence are typically evaluated:

• Documentation (policies, procedures, plans)
• System configurations (hardening settings, access controls, encryption)
• Logs and monitoring data (audit logs, SIEM alerts, investigation records)
• Testing results (vulnerability scans, penetration test reports, control tests)
• Training records (certificates, rosters, materials)
• Interview responses (personnel articulation of security practices)
• Physical observations (assessor verification of physical controls)

Evidence organization with clear mapping between each ITSP.10.171 requirement and supporting evidence simplifies assessor work and demonstrates thoroughness. Evidence accessibility ensures assessors can quickly find what they need without delays.

Evidence quality means evidence clearly demonstrates control effectiveness rather than peripheral materials. Evidence completeness covers all requirements without gaps. Organizations should prepare evidence packages in advance, potentially using compliance management platforms or organized file repositories.

Missing evidence creates adverse inference that controls don't exist or aren't effective.

Assessment Week Logistics

External assessments typically involve on-site visits lasting several days to a week. Organizations should plan for the following activities:

• Schedule coordination ensuring key personnel are available, critical meetings aren't scheduled during assessment, and organizational travel is minimized
• Daily briefings with assessors to coordinate activities, answer questions, and address issues
• Point of contact designated to coordinate with assessors, facilitate access, and resolve logistical issues
• Executive availability for opening and closing briefings even if not needed for daily activities
• Issue resolution process for rapidly addressing assessor questions or requests for additional evidence
• Daily debriefs internally to discuss assessment progress, identify emerging issues, and coordinate responses
• Maintaining business operations since assessment shouldn't completely disrupt normal work—balance accommodation of assessors with operational needs

Organizations should treat assessment professionally and cooperatively—adversarial relationships with assessors typically result in more thorough scrutiny and worse outcomes.

Common Assessment Findings

Understanding typical deficiencies helps organizations prepare. The following are common findings in Level 2 assessments:

• Incomplete documentation particularly system security plans that don't address all requirements or lack sufficient detail
• Inconsistent implementations where documented policies don't match actual practices
• Inadequate logging or monitoring missing critical event types or lacking regular log review
• Weak access controls including excessive user privileges, shared accounts, or missing multi-factor authentication
• Poor configuration management with systems not matching baselines or changes lacking security review
• Insufficient training with personnel unable to articulate security requirements or lacking training records
• Weak incident response including untested plans, poorly defined procedures, or inadequate capability
• Inadequate vulnerability management with unpatched systems, slow remediation, or incomplete scanning
• Poor evidence organization making it difficult for assessors to verify control effectiveness

Organizations should address these common weaknesses during preparation to reduce finding likelihood.

Handling Assessment Findings

Even well-prepared organizations typically receive some findings. The following approach is recommended when addressing findings:

• Listen carefully to assessor concerns rather than becoming defensive
• Ask clarifying questions to ensure understanding of finding and what evidence would satisfy concern
• Provide additional information if assessor misunderstood situation or overlooked evidence
• Acknowledge valid findings rather than arguing—assessor professional judgment deserves respect
• Focus on risk and context helping assessors understand whether findings represent significant risks or minor technical issues
• Propose remediation for findings demonstrating commitment to addressing issues
• Request appropriate timeframes for remediation recognizing some fixes require significant time or resources
• Document findings and discussions to ensure accurate understanding

Organizations should approach findings as opportunities for improvement rather than failures—all organizations have security gaps, and assessment helps identify and prioritize remediation.

Learn More

For additional information about Level 2 external assessments and CPCSC requirements, consult the following resources:

• Protecting Specified Information (ITSP.10.171)
• Canadian Program for Cyber Security Certification - Level 1