Traditionally, assurance has been associated only with IT products and systems composed of hardware or software and referred to as “product assurance” or “system assurance.” It is now recognised that to address a wider range of risks, there is a need for assurance of other security objectives such as a security service, process, personnel, organisation or other environmental factors.
Assurance may be sought by the stakeholders of IT systems who have assets at risk in IT systems. Therefore, the determination of an acceptable assurance method and level of assurance may be required/and or influenced by the stakeholders. No two organisations are alike, meaning there is no standard template to follow. You have to understand the business needs of your organisation, define and map security requirements based on the business needs, collect relevant metrics, and measure your success.