Merge pull request #231 from owaspsamm/assessment-guide-minor-fix

Fixes #230
owaspsamm · May 8, 2024 · 7f6c3d2 · 7f6c3d2
2 parents 24bbbdf + 9b2922d
commit 7f6c3d2
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/content/en/assessment-guide.md b/content/en/assessment-guide.md
@@ -37,7 +37,9 @@ You can also run an expert assessment by inviting either an independent internal
 
 A questionnaire-based assessment requires one or multiple stakeholders to go through the list of 90 questions. This can be perceived as overwhelming. There is also some room for interpretation in the assessment questions. Hence answers across the different teams in your organizations might be inconsistent. The goal of SAMM is to know where you are in order to set up the right improvement roadmap. However if you cannot measure precisely, your improvement strategy may not be optimal, especially for improvements that involve multiple teams. Moreover, large questionnaires may lead to questionnaire-fatigue. Teams might be refusing or reluctant to provide answers or give their time and the necessary attention required.
 After an initial SAMM assessment for a given scope, the questionnaire-based approach is suitable for updating the SAMM scores. The stakeholder responsible for this should have gained sufficient understanding of the model specifics to be able to do that. Furthermore, the number of practices that need a score update is likely to be limited.
-Interview-based assessment
+
+## Interview-based assessment
+
 Interviews are a good alternative for questionnaires, since having a conversation can be more appealing than a list of questions. The interviewer can explain the questions, explain the criteria and ask follow-up questions to gain better understanding or to double check answers.
 Also, in an interview you can invite people to ‘open up’ or pick up on certain non-verbal signs regarding a specific topic. These things help to identify issues that are useful for the assessment, but also very useful in case the assessment is followed by recommendations to improve. We would recommend adding the interviewer's observations next to each SAMM stream. These notes serve as a documentation of existing security practices within the assessment scope. They can also be helpful when validating the interview with the stakeholders (see the next section). Here are some examples of such observations:
 - All employees (even those not involved in SDLC) are required to complete basic SDLC training. The training includes various public and internal courses. The list of courses is expanded regularly.