assessment method

An assessment method is a defined approach used to evaluate how well a control, system, process, or organization is performing against specified criteria or requirements. In regulated industrial and manufacturing environments, assessment methods provide structure for demonstrating that security, quality, safety, or compliance controls are implemented and operating as intended.

Assessment methods are typically documented in procedures, standards, or frameworks and describe what will be checked, how it will be checked, and what evidence is needed. They can be applied to technical controls (for example, network access restrictions), procedural controls (for example, change control workflows), or operational processes (for example, batch record review).

Common types of assessment methods

In control and compliance assessments, several method types are commonly referenced:

• Testing (or technical testing): Actively exercising a control or system to observe behavior and outcomes, such as trying to log in with invalid credentials or executing a backup and restore to verify it works as specified.
• Examination (or document/record review): Reviewing documented information, such as procedures, system configurations, logs, or quality records, to verify that requirements are defined and evidence of execution exists.
• Interviews: Speaking with personnel to understand how a control or process is carried out in practice and to confirm alignment with documented procedures.
• Observation: Watching activities on the shop floor or in a control room to see how tasks are actually performed and whether controls are followed.

Standards and frameworks, including cybersecurity and quality frameworks, often specify preferred assessment methods for different categories of controls. For example, a procedural control may rely more on interviews and examination, while an automated technical control may rely more on testing.

Use in industrial and manufacturing environments

In manufacturing operations, assessment methods are commonly applied to:

• OT and IT security controls, such as user access management on control systems, patch and configuration management, or network segmentation.
• Quality and process controls, such as adherence to standard operating procedures, batch release workflows, calibration and maintenance processes, and electronic record management.
• MES/ERP and integration controls, such as validation of data interfaces, audit trails, and role-based permissions across interconnected systems.
• Safety and risk controls, such as lockout/tagout procedures, alarm management practices, or safety interlocks.

In these settings, assessment methods must often be tailored to legacy equipment, mixed levels of automation, and existing validation or qualification practices. The same high-level method type (for example, testing) may be implemented differently on a modern, fully automated line versus a brownfield line with older controls and manual steps.

Relation to NIST SP 800-53A and similar frameworks

Frameworks like NIST SP 800-53A describe standardized assessment methods and procedures for evaluating security and privacy controls. In that context, “assessment method” refers to the structured use of testing, examination, and interviews to determine whether a control is implemented, operating as intended, and producing required evidence.

In industrial environments, these methods are often used as reference models. Organizations typically adapt them to integrate with manufacturing constraints, existing system architectures, and sector-specific validation or qualification requirements.

Common confusion

• Assessment method vs. assessment procedure: The method is the type or approach (for example, testing or examination), while the procedure is the detailed, step-by-step description of how the method is executed for a specific control or process.
• Assessment method vs. audit: An audit is a formal event or program that uses one or more assessment methods. The methods themselves (testing, examination, interviews, observation) can also be applied outside of formal audits, such as during internal reviews or continuous monitoring.