A self-assessment is a high-level, 30,000 foot-up type of security audit. The survey should be designed to cover a broad range of requirements that are related to the management, technical, and operational controls of the information system. It s often the case that a particular survey question could fall into more than one of these three categories. Don t spend a long time deliberating which category each question should go in. Pick whatever category seems appropriate for the particular information systems that are up for C&A and simply put the survey question there. It s more important simply to ask the right questions and discover the honest answers, than to figure out which category of the survey the question should go in.