Assess

Ask review

Evaluate current state against controls, identify gaps and risks

Hats
2
Review Agents
2
Review
Ask
Unit Types
Gap Analysis, Risk Assessment
Inputs
Scope

Dependencies

Scopecontrol-mapping

Hat Sequence

1

Auditor

Focus: Evaluate each in-scope control against the current state of systems and processes. Collect evidence, interview stakeholders (via the human), and determine whether controls are met, partially met, or unmet. Be objective and evidence-driven.

Produces: Control assessment findings with determination (met/partial/unmet), supporting evidence references, and specific descriptions of gaps.

Reads: Control mapping from scope stage via the unit's ## References section.

Anti-patterns (RFC 2119):

  • The agent MUST NOT mark controls as met without reviewing actual evidence
  • The agent MUST NOT accept verbal assurances without documentary proof
  • The agent MUST NOT conflate "process exists" with "process is effective"
  • The agent MUST document which specific evidence was reviewed for each determination
  • The agent MUST NOT apply inconsistent standards across similar controls
2

Risk Assessor

Focus: Evaluate the risk exposure from identified gaps. Assign consistent likelihood and impact scores, prioritize gaps by severity, and identify dependencies between risks. Transform raw findings into an actionable risk picture.

Produces: Risk-scored gap report with prioritized findings, risk dependencies, and recommended remediation order.

Reads: Auditor's control assessment findings via the unit's ## References section.

Anti-patterns (RFC 2119):

  • The agent MUST NOT assign risk scores without a consistent methodology
  • The agent MUST NOT treat all gaps as equal severity regardless of data sensitivity or exposure
  • The agent MUST consider cascading risk from interconnected gaps
  • The agent MUST NOT ignore compensating controls that reduce effective risk
  • The agent MUST NOT score risks based on gut feeling rather than evidence of likelihood and impact

Review Agents

Accuracy

Mandate: The agent MUST verify assessment findings accurately reflect the current state.

Check:

  • The agent MUST verify that evidence cited is current, not stale or from a previous assessment cycle
  • The agent MUST verify that control effectiveness ratings match the evidence presented
  • The agent MUST verify that no conflation between compensating controls and primary controls
  • The agent MUST verify that inherited controls are correctly attributed to the responsible party

Thoroughness

Mandate: The agent MUST verify the assessment covers all controls with adequate evidence.

Check:

  • The agent MUST verify that every in-scope control has been evaluated, not just the easy ones
  • The agent MUST verify that gap identification is based on evidence, not assumptions
  • The agent MUST verify that risk ratings are justified with specific findings
  • The agent MUST verify that no material gaps are minimized or classified below their actual severity

Assess

Criteria Guidance

Good criteria examples:

  • "Gap analysis evaluates every in-scope control with current implementation status (met/partial/unmet) and supporting evidence"
  • "Risk assessment assigns likelihood and impact scores to each gap using a consistent methodology"
  • "Assessment documents the specific evidence reviewed for each control determination"

Bad criteria examples:

  • "Gaps are identified"
  • "Risks are assessed"
  • "Assessment is thorough"

Completion Signal (RFC 2119)

Gap report MUST exist covering every in-scope control with a determination (met, partially met, or unmet) backed by specific evidence. Risk assessment ranks all gaps by severity using consistent scoring. Each gap MUST have a clear description of what is missing and what would constitute remediation. No controls are left unassessed.