Assessment Methods: Interview, Examine, Test – A Comprehensive Guide
Why Are Assessment Methods Important?
Assessment methods are the cornerstone of evaluating whether security and privacy controls are properly implemented, operating as intended, and producing the desired outcome. Without structured assessment methods, organizations cannot objectively determine the effectiveness of their control environment. In frameworks such as NIST SP 800-53A, these methods are codified to ensure consistency, repeatability, and thoroughness in security and privacy assessments. For professionals pursuing certifications like CGRC (Certified in Governance, Risk, and Compliance), understanding these methods is essential because they form the basis of the assessment and audit process that underpins the Risk Management Framework (RMF).
What Are the Three Assessment Methods?
NIST SP 800-53A defines three distinct assessment methods used to evaluate security and privacy controls:
1. Interview
The interview method involves conducting discussions with individuals or groups within an organization who have roles and responsibilities related to the security or privacy control being assessed. The purpose is to gather information about how controls are implemented, understood, and maintained.
Key characteristics of the Interview method:
- It is a people-focused method — it targets personnel knowledge, understanding, and awareness.
- Interviews help assessors determine whether individuals understand their responsibilities related to specific controls.
- They can reveal gaps between documented policy and actual practice.
- Interview subjects may include system owners, information system security officers (ISSOs), system administrators, developers, and end users.
- Interviews are often used to assess awareness, training, roles, responsibilities, and procedural understanding.
- They are subjective in nature and should be corroborated with other methods when possible.
2. Examine
The examine method involves reviewing, inspecting, observing, studying, or analyzing assessment objects such as documents, mechanisms, activities, and specifications. This is a documentation and artifact-focused method.
Key characteristics of the Examine method:
- Assessment objects include policies, procedures, plans, system security plans (SSPs), configuration settings, architectural diagrams, logs, audit records, and other artifacts.
- The examine method verifies that documentation exists, is current, is complete, and is consistent with established requirements.
- It involves checking that mechanisms (hardware, software, firmware) are configured and operating correctly by reviewing their settings or output.
- Activities can also be examined — for example, observing whether a change management process is being followed.
- This method provides evidence-based assessment data.
- It is useful for verifying compliance with documented policies and standards.
3. Test
The test method involves exercising assessment objects (mechanisms or activities) under specified conditions to compare actual behavior with expected behavior. This is an action-focused method.
Key characteristics of the Test method:
- Testing produces direct, empirical evidence of how a control actually performs.
- It involves actively attempting to use, bypass, or stress a control to determine its effectiveness.
- Examples include penetration testing, vulnerability scanning, running backup restoration procedures, testing incident response plans, or verifying access control enforcement.
- Test results are objective and measurable.
- Testing can be automated or manual.
- It is the most rigorous of the three methods because it validates operational effectiveness, not just design or intent.
How Do the Three Methods Work Together?
In practice, a thorough control assessment typically uses a combination of all three methods to achieve depth and breadth of coverage. NIST SP 800-53A assessment procedures specify which methods to use for each control and provide assessment objectives for each.
Example: Assessing an Access Control Policy (AC-1)
- Interview: Ask the ISSO and system administrators whether they are aware of the access control policy, how it is communicated, and how often it is reviewed.
- Examine: Review the access control policy document to verify it exists, is approved, is current, covers required elements, and is distributed to relevant personnel.
- Test: Attempt to access the system without proper credentials, or test role-based access controls to ensure only authorized users can access specific resources.
The combination of methods provides a comprehensive picture: Interview tells you what people know, Examine tells you what is documented, and Test tells you what actually works.
Assessment Depth and Coverage
Each assessment method can be applied at different levels of depth (rigor) and coverage (scope):
Depth levels:
- Basic: A cursory review or high-level inquiry.
- Focused: A more detailed and targeted assessment.
- Comprehensive: An exhaustive and thorough assessment with maximum rigor.
Coverage levels:
- Basic: A representative sample of assessment objects.
- Focused: A larger, more targeted sample.
- Comprehensive: All or nearly all assessment objects are evaluated.
The appropriate level of depth and coverage is determined by the system's impact level (low, moderate, high) and the organization's risk tolerance.
Key Relationships to Remember
- Interview = People (knowledge, understanding, awareness)
- Examine = Artifacts (documents, mechanisms, configurations, logs)
- Test = Operations (actual performance, behavior under conditions)
All three methods produce findings that are documented in a Security Assessment Report (SAR). Findings identify whether controls are satisfied or other than satisfied, along with any identified weaknesses or deficiencies.
How to Answer Exam Questions on Assessment Methods
Exam questions on this topic typically fall into the following categories:
Category 1: Identification Questions
You will be given a scenario and asked to identify which assessment method is being used.
Tip: Focus on the action being described:
- If someone is talking to people → Interview
- If someone is reviewing documents, configurations, or logs → Examine
- If someone is actively running a scan, simulating an attack, or exercising a process → Test
Category 2: Application Questions
You will be asked which method is most appropriate for a given scenario.
Tip: Think about what you need to learn:
- Need to know if staff understand a policy? → Interview
- Need to verify a policy document exists and is current? → Examine
- Need to know if a firewall rule actually blocks traffic? → Test
Category 3: Comparison Questions
You may be asked how the methods differ or which provides the most objective evidence.
Tip: Remember this hierarchy of objectivity:
- Test provides the most objective, empirical evidence.
- Examine provides documentary evidence that can be verified.
- Interview is the most subjective and should be corroborated.
Category 4: Framework Questions
You may be asked about the source of these methods or how they relate to the RMF.
Tip: The three assessment methods are defined in NIST SP 800-53A (Assessing Security and Privacy Controls). They are used during the Assess step of the RMF. Assessment results are documented in the Security Assessment Report (SAR).
Exam Tips: Answering Questions on Assessment Methods: Interview, Examine, Test1. Memorize the simple formula:- Interview =
Ask people- Examine =
Look at things- Test =
Try things2. Watch for keyword triggers in exam questions:- Words like
discuss, inquire, ask, determine understanding →
Interview- Words like
review, inspect, observe, analyze, check documentation →
Examine- Words like
exercise, simulate, run, validate, verify functionality, penetrate →
Test3. Remember that all three methods are complementary, not competing. A good assessment uses all three. If a question asks which method alone is sufficient, be cautious — the best answer often involves using multiple methods.
4. Know the NIST source: These methods come from
NIST SP 800-53A. Do not confuse this with SP 800-53 (the control catalog) or SP 800-37 (the RMF lifecycle).
5. Understand assessment objects:-
Specifications (e.g., policies, procedures, plans, designs) — primarily assessed through Examine
-
Mechanisms (e.g., hardware, software, firmware) — assessed through Examine and Test
-
Activities (e.g., system operations, administration, management) — assessed through Examine, Test, and Interview
-
Individuals (e.g., personnel performing activities) — primarily assessed through Interview
6. Don't overthink scenario questions. The exam is testing whether you can distinguish between the three methods. Focus on the primary action described in the scenario. If a person is reviewing a firewall configuration file, that is
Examine. If a person is sending test traffic through a firewall to see if it is blocked, that is
Test. If a person is asking the firewall administrator how rules are maintained, that is
Interview.
7. For questions about depth and coverage: Higher-impact systems require greater depth (more rigor) and broader coverage (more objects assessed). This directly affects the level of effort for each of the three methods.
8. Remember the output: The results of applying these three assessment methods are documented as
findings in the
Security Assessment Report (SAR), which informs the authorizing official's risk-based authorization decision.
9. Practice with elimination: On multiple-choice questions, eliminate answers that clearly describe a different method. For example, if the scenario involves running a vulnerability scan, immediately eliminate Interview and Examine — the answer is Test.
10. Context matters: Some activities can span multiple methods. For example,
observing someone perform an incident response drill could be Examine (observing an activity) or Test (exercising a procedure). In such cases, look at the question's emphasis: Is it about watching and checking documentation, or about actively validating the procedure works? The nuance often determines the best answer.
