This document discusses IT security assessments. It defines assessments and common assessment types like vulnerability assessments and penetration tests. It outlines the assessment lifecycle of planning, information gathering, assessments of business processes and technology, risk analysis, and reporting. It provides details on determining assessment scope, identifying tools, techniques for various types of assessments, legal considerations, and post-assessment activities. The goal of assessments is to provide assurance and make risk-based security decisions.