What is a security assessment report (SAR)?

A security assessment report communicates the outcomes of the security assessment. It captures what was evaluated, the findings, and the risk context, and it typically includes a summary of the activities conducted by the certifying agent, along with recommended corrective actions. It may also contain the completed system reporting form, providing evidence and system details that support the assessment. This makes the SAR a comprehensive, action-oriented document used to guide remediation and authorization decisions. It's not just a plan for handling incidents, which is a separate document focused on detecting and responding to security events. It’s more than a simple list of vulnerabilities, because it adds context, risk ratings, and concrete corrective actions. And it’s not a security policy, which states management’s security objectives and rules rather than reporting assessment results.