Back to all activities

Assessment Plan


This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits, and the process for modifying the scope of the audit when new information arises. [1] [2] This component consists of a process where the auditor collaboratively creates an assessment plan with key members of the organization.

A core tenet of SAFETAG is building agency in organizations to improve their digital security. To that end, collaboratively creating an assessment plan with the organization helps to clarify not only the audit scope - from discussing what sensitive data may be exposed to what systems may be disrupted in the process of the audit - but it also helps reveal the ability of the organization to support and respond to the audit findings.


    • Consider the threat landscape of the organization when determining secure communications channels. This may require some pre-agreement work using parts of the Context Research methodology.
    • In addition to the overall mandate to send information encrypted to the organization, also demand encrypted communication back from them. Failure to establish a secure planning channel also contributes towards a no-go situation by putting both the auditor and organization at risk.

Walk Through

    • Develop an agreement signed by both parties outlining the scope of the audit including:
      • The start and end dates of the audit.
      • The location where the on-site audit will take place. [4]
      • The responsibilities of the host staff.
      • The responsibilities of the auditor.
      • The host names and IP ranges of any services run by the organization. [8]
      • Emergency contact information for the organization. [3]
      • The procedure the auditor will follow when handling incidents. [9]
      • The data security standards for evidence handling and communication. [5]
    • Develop and sign a confidentiality and non-disclosure agreement
    • Share a liability waiver signed by the host organization. [10]
    • Obtain approval from any third parties, if necessary. [7] The Audit agreement, non-disclosure agreement, liability waiver may be accomplished through a single document, or they may be separate documents.

    Auditors are encouraged to use, or at least reference text from the following sources:

    • Sample Text for a Statement of Work and Engagement Agreement in the Confidentiality Agreement Activity.
    • The SAFETAG Agreement Generator, a python script which provides a decision tree covering the above points, and builds a basic, clear-language agreement which can be translated and formalized as needed. Sample outputs and a diagram of the full decision tree are available in the "outputs" folder of the Agreement Generator repository. This replaces the draft agreement previously part of SAFETAG.