A security assessment is a periodic review to see how prepared your organization is for a cybersecurity breach. The assessment helps you check for vulnerabilities in your information technology systems and business processes so you can address them prior to an attack. It also ensures you’re equipped to manage and recover if a breach was to happen.

There are as many ways to conduct a security assessment as there are ways to breach security. This 5-minute guide is intended to provide some high-level guidelines of the most important elements to include in your security assessment, not a complete methodology.

STEP 1: Security Review

A security review identifies security issues, the level of risk and the actions you’ll take to reduce this risk.

The first step is to assemble the team. A security assessment is a group effort and needs leadership from the top to be successful.

The second step is to review existing policies. You should have written guidance on security strategies, data backup arrangements, security update schedules, and credential management. If your industry is governed by regulations that relate to data security or privacy, you’ll need to ensure compliance with these. In reviewing policies, pay attention to what’s missing and what may have changed since they were drafted.

Step three is to inventory all your IT assets, including software and hardware. Don’t forget servers, networks, tablets, printers, IoT devices such as smart thermostats or voice-activated speakers, smart phones, point-of-sale technology, websites and the devices your employees bring from home and use at work.

Next, document all possible threats, the likelihood of them occurring, the potential impact, the priority you place on the threat (we recommend using a numerical scale), what’s already in place to manage the risk and what other actions you could take.

Some areas to consider are:

  • training and education
  • account and password management
  • data protection
  • data loss prevention, detection and recovery
  • disaster recovery
  • mobile device security

Make sure you identify whose responsibility it is to oversee different components of the program.

Some threats may not come from your people or your organization. Don’t forget to note when volunteers, guests, partners or suppliers play a key role in the threat and its prevention, mitigation or recovery.

STEP 2: Security Testing

Security testing helps you find the chinks in your cybersecurity armour so you can fill them.

The first step is to scan your systems for threats. This should be a regularly scheduled task, not just something that gets done when you’re doing a periodic security assessment. An even better approach is to use real-time, automatic scanning software so you don’t have to remember. Even if you have an automatic system, it’s a good idea to perform a manual scan during your security review. That way you can familiarize yourself with the software you have and identify systems that may not be protected.

Second, look for vulnerabilities in your systems. Are you using outdated versions of software? Are your people logging in to accounts with weak passwords? There are helpful tools you can use to identify these vulnerabilities. (Not sure what tools are out there? We’d be happy to help—just contact us.)

Next, survey your employees. Your people are your greatest asset, but when it comes to security, they’re also your greatest risk. Are they engaging in risky behaviour and poor practices? Examples include sharing or writing down passwords and postponing updates on their devices.

Another step is to survey third parties, such as vendors and partners, about their security practices. A security breach may not be the result of what your organization does (or doesn’t do). Ensure that any organization you work closely with meets your security expectations.

Finally, try to break into your systems. You may need to call in an outside resource to assist, but simulating a cyber-attack and social engineering attack are important ways to reveal where your security is weak (and strong). There are tools available to help you conduct phishing email drills with your employees, for example.


A security assessment isn’t a one-shot deal. Conducting regular security assessments keeps security top of mind for your people and ensures your processes are up to date and able to respond to the latest threats.

If your first assessment feels like a daunting task, there are professional resources to help you. Birmingham Consulting conducts a top to bottom security assessment as a standard part of any new client relationship to ensure we understand the business processes and security culture of our clients. Let us coach you through your first assessment, or do it for you!