Types of Assessments

What is the difference between self-assessments, third-party assessments, third-party certifications, reports, and audit results?


An internal evaluation of an organization's compliance with applicable laws, regulations, and policies. It is typically conducted by the organization's own staff by scheduling regular internal audits.

Third-party assessments

A review of an organization's compliance conducted by an external third party, such as a consulting firm or a certification body.

  • Security Assessments
  • Privacy Impact Assessments (PIA)
  • Threat Risk Assessments (TRA)

Third-party certifications

Issued by a certification body after a successful third-party assessment. The certification typically attests to an organization's compliance with a specific standard or regulation. You can often look these up based on the certification body to verify.

  • Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme.


A document containing the results of a self-assessment, third-party assessment, or third-party certification process. It may also include recommendations for improving compliance and/or corrective actions taken.

  • SOC 2 Type 2 report

Audit results

Audits are done to verify and assess an organization's compliance with laws, regulations, and policies. Audits may be conducted internally by the organization's own staff or externally by a third-party auditor. Depending on the type of audit, the auditor may be an independent third party or a certification body.

  • The Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) is responsible for enforcing HIPAA and other privacy and security laws