Understanding the Steps Included in Performing an IT Health Assessment

Home / Managed Services / Understanding the Steps Included in Performing an IT Health Assessment

Although some of us don’t like to admit it, organizational IT checkups can be almost as important as a physical health checkup. In a business sense, IT health assessments can help identify present weaknesses before they become future disasters. Let’s take a deeper look into how they can specifically help your organization.

What is an IT health assessment?

An IT health assessment is a group of targeted evaluations.  These tests seek out problems and provide actionable insights into fixing them, preventing further security issues down the road.

A third-party service provider can both help conduct the assessment and can also help you roadmap improvements. Depending on your internal IT departmental bandwidth, the provider may also take on some of the remediation and ongoing maintenance tasks to allow your team to focus on furthering business objectives.

What are the steps of an IT health assessment?

Before diving in, it’s essential to know a couple of things: the extent of the project scope, how the provider will conduct the tests, and what to do with the results.

Here is a step-by-step breakdown of what to expect:

Step 1: Understand your “whys” for doing the assessment.

The primary reason businesses request an assessment is to identify issues within their environment. Aside from the short-term benefits of risk assessment and improved security, it also has longer-term benefits like freeing up your resources. Instead of spending all their time on firefighting, for example, your IT department may be able to pursue an e-commerce initiative that leads to a massive increase in revenue.

For startups and newer companies, IT assessments establish a baseline metric for system health. Having this benchmark in the future makes it much easier to identify problems and implement improvements.

Depending on the industry, some organizations may be required to have an IT assessment as part of their regulatory compliance responsibilities. Typically, the evaluation will precede an audit to ensure all systems are functioning correctly.

Finally, examining an unplanned outage or security event can help you determine the amount and type of damage and how to prevent a repeat in the future.

Step 2: Decide who will do the assessment.

Unless otherwise prohibited by regulation, it is entirely possible to conduct a health assessment in-house. In general, however, you will receive more detailed and unbiased results through a neutral third-party service provider. Not only will the service provider have the resources and expertise to conduct the assessment, but they will also have a fresh perspective when it comes to finding weaknesses.

It’s essential to do your due diligence before deciding on an assessment provider, so you get the most return on your investment. First, look for a partner, not a vendor. You will be inviting this team to look under the hood at your organization’s most sensitive applications, systems, and infrastructure, so it’s crucial to have a high level of trust that extends beyond the contract.

The provider also needs to understand your business and your goals. Without this, they won’t be as effective at identifying pain points and offering actionable recommendations to further your business goals. Instead, they may provide advice that suits their preferences and not yours.

Be sure you know the quality of the work before signing on. Don’t be afraid to ask for examples of previous assessments and references. If they can’t or won’t provide any, find someone who will. Great providers are proud of their reputation within the industry and are happy to give examples of their work.

Step 3: Define the scope of the assessment.

Thoroughness is critical in an IT health assessment. Failure to review and evaluate all business-critical systems and applications will leave weaknesses and gaps that malicious users will be happy to exploit. Also, not having clear boundaries can lead to “scope creep,” – which can have serious legal ramifications.

Before the assessment starts, meet with your internal teams to identify all systems, applications, and dependencies that the provider should examine. Be sure to include remote devices and assets that access and utilize company IT resources.

Then, sit with the service provider to define what the assessment will cover, how they will conduct their tests, and how they will deliver your results.

Step 4: Know your goals for the assessment

Although your goals may evolve during the assessment, it’s essential to have an initial plan so the assessment team can provide the correct data.

For example, you may want data to support a move to the cloud, identify the root cause of a slow application, or locate security holes to reduce your attack surface. Knowing the overarching goal for the assessment and what you plan to do with the results will help the team conduct their examination more efficiently.

Step 5: Conduct the assessment.

It’s time to get the ball rolling. Here are some of the more common areas and technologies assessment teams examine and where they will focus their attention.

Management and staffing

  • What does the IT team do, and who is in charge of what?


  • Is the help team readily available?
  • Is the help team helpful?


  • Endpoints and devices
  • Passwords and policies
  • Firewall assessment
  • Antivirus configurations


  • Virtualization
  • CPU/RAM and storage capacity
  • Asset lifecycle status
  • Network configuration


  • Ability to support current and future workloads
  • Wireless surveys
  • Device asset management
  • Asset lifecycle
  • WAN and LAN
  • Voice over Internet Protocol (VoIP) readiness
  • Routing and switching

Disaster recovery

  • Backups and data protection strategy
  • Disaster recovery plan
  • Business continuity plan


  • Configuration
  • Encryption


  • Secure remote access
  • Full inventory of connected devices
  • Encryption
  • Updates and patches current


  • Security awareness
  • Phishing test

An IT health assessment is a critical tool for establishing a rock-solid IT infrastructure that supports high-performing, secure applications and systems. IT assessments provide the knowledge and actionable feedback you need to build, maintain, and manage IT functions and protect against data loss and cyber threats. For a more in-depth look at the benefits of IT health assessments, visit Understanding IT Assessments.

Assessments Pillar Page CTA-1

Related Posts