The paper is devoted to the issues of computer security assessment of instrumentation and control systems (I&C systems) of nuclear power plants (NPPs). The authors specified the main areas of assessing the computer security of NPP I&C systems, especially the assessment of cyber threats, vulnerabilities of I&C computer security, sufficiency of applied measures for ensuring I&C systems computer security, risks of I&C system computer security as well as periodic reassessment of I&C computer security. The paper considers the assessment of I&C computer security vulnerabilities, sufficiency of applied measures for ensuring I&C computer security (assessment of cyber threats and the risks of I&C computer security are discussed in detail in other publications from the series “Computer Security of NPP Instrumentation and Control Systems”).
 Approaches to assessing the computer security vulnerabilities of I&C systems and software at each stage of I&C life cycle are considered. The recommendations for assessing vulnerabilities regarding technical and software protection against unauthorized access or connection to I&C, protection of local networks, implementation of organizational measures and procedures for computer security are provided.
 The paper describes the scope and procedures for the initial assessment and periodic reassessment of NPP I&C computer security. Recommendations for the formation of an appropriate evaluation team are provided. Methods of assessing I&C computer security are considered, namely: analysis of documents (computer security policy, program, plan, reports, etc.), survey of staff (administrative, operational, service and computer security experts), direct review of I&C systems, their components and local networks. The evaluation stages (collection of information, detailed analysis, reporting) and the scope of work at each stage are described.
 General information about the possibility and necessity of assessing the computer security risks of I&C systems in the case of using risk-informed approaches is provided.
 The need to document the results of the assessment is noted separately and specific proposals about the procedure for developing relevant reports are made.
Read full abstract