It is recognized that organizations can specify, document, and configure their information systems in a variety of ways, and that the content and applicability of existing assessment evidence will vary. This may result in the need to apply a variety of assessment methods to various assessment objects to generate the assessment evidence needed to determine whether the security or privacy controls are effective in their application. Therefore, the assessment methods and objects provided with each assessment procedure are termed potential to reflect the need to be able to choose the methods and objects most appropriate for a specific assessment. The assessment methods and objects chosen are those deemed as necessary to produce the evidence needed to make the determinations described in the determination statements. The potential methods and objects in the assessment procedure are provided as a resource to assist in the selection of appropriate methods and objects, and not with the intent to limit the selection.

Organizations use their judgment in selecting from the potential assessment methods and the list of assessment objects associated with each selected method. Organizations select those methods and objects that most cost-effectively contribute to making the determinations associated with the assessment objective.31 The measure of the quality of assessment results is based on the soundness of the rationale provided, not the specific set of methods and objects applied. It will not be necessary, in most cases, to apply every assessment method to every assessment object to obtain the desired assessment results. And for certain assessments, it may be appropriate to employ a method not currently listed in the set of potential methods.