This article can be used as a guide to help you complete the assessment as accurately as possible and to understand the reason and method behind the questions within it.
The list of questions used within the assessment are detailed below with a description of what the question is trying to assess beside it to help you understand how best to answer it.
Question | Description |
Has a senior management Security Governance Forum been established for the organisation that has representatives from all business units and defined roles and responsibilities? | This question assesses whether a high-level governance body responsible for overseeing the organisation's security strategies and policies has been formed. The governance forum typically includes senior management members and focuses on strategic decisions related to information security. |
Does the organisation have an information security strategy that is updated annually and used to inform security investment decisions? | This question examines whether the organisation has a formal information security strategy that is regularly reviewed and updated. An effective strategy should align with business objectives, consider emerging threats, and guide decisions on where to allocate resources for security improvements. |
Does the organisation have an information risk assessment methodology covering scoping, impact assessment, threat profiling, vulnerability assessment, risk evaluation and treatment? | This question evaluates whether the organisation has an established information risk management framework. The framework should include processes for identifying, assessing, and mitigating risks to information systems and assets. |
Are activities established to documental and maintain an Information Security threat profile for the organisation? | This question assesses whether the organisation has formal processes in place to document and regularly update its Information Security threat profile. A threat profile identifies potential risks and vulnerabilities that could impact the organisation, ensuring that security measures are tailored to the evolving threat landscape. |
Has a specialist information security function been established, which is led by a sufficiently senior manager, such as a Chief Information Security Officer (CISO)? | This question investigates whether the organisation has a specialist information security function. A dedicated team or function ensures that security is continuously managed and that policies and procedures are consistently followed. |
Have the roles and responsibilities relating to information security been clearly defined for the wider workforce? | This question evaluates whether the organisation has clearly defined and communicated information security roles and responsibilities across all levels of the workforce. Properly defined roles ensure that every employee understands their security obligations, which helps in creating a shared responsibility for maintaining the organisation’s security posture. |
Do you have fully developed information security policy and standards which have been communicated to all individuals with access to the organisations systems and data? | This question checks if the organisation has a formal information security policy that has been approved by senior management. The policy sets out the organisation's commitment to safeguarding its information assets and defines roles and responsibilities for security. |
Is there an Information Security and awareness programme established and directed to all users who have access to the organisations information and IT systems? | This question examines whether the organisation has implemented a formal Information Security awareness programme aimed at educating all users who have access to its information and IT systems. The programme should cover essential security practices, threat awareness, and policies to help users protect the organisation’s assets and data. |
Where individuals work remotely or use 'employee owned' devices, are they supported by the organisation in protecting those devices and any information they handle against loss, theft or cyber attack? | This question evaluates whether the organisation provides support and resources to employees who work remotely or use their own devices (BYOD) to ensure that those devices, as well as the information they handle, are protected against loss, theft, or cyber attack. Support may include policies, tools, and guidance on securing personal devices. |
Are background verification checks carried out on all candidates, including contractors and third party users prior to employment? | This question assesses whether the organisation conducts thorough background verification checks on all prospective employees, contractors, and third-party users before they are hired or granted access to the organisation's information systems. These checks may include identity verification, criminal history, employment history, and reference checks to ensure the integrity and trustworthiness of individuals. |
Do you have an information classification scheme and is it supported by information handling guidelines which help protect against corruption, loss and unauthorised disclosure of the information? | This question examines whether the organisation has implemented an information classification scheme that categorises information based on its sensitivity and importance. It also assesses whether guidelines for handling, storing, and transmitting information are in place to protect against data corruption, loss, or unauthorised disclosure. |
Do you have a Data Privacy Officer (DPO) who is responsible for information privacy across the organisation and is that person of a sufficient seniority to ensure that all supporting activities associated with data privacy including privacy impact assessments are carried out ass well as ensuring the protection of personally identifiable information? | This question assesses whether the organisation has appointed a Data Privacy Officer (DPO) with sufficient authority and expertise to manage data privacy obligations. The DPO should ensure compliance with data protection regulations, carry out privacy impact assessments, and protect personally identifiable information (PII) throughout the organisation. |
Is an IT asset inventory established and maintained? | This question evaluates whether the organisation has implemented and maintains an up-to-date inventory of all IT assets, including hardware, software, and network devices. An IT asset inventory provides visibility into the assets in use, helping to manage and secure them effectively. |
Does the organisation ensure information security requirements are applied to assets throughout their lifecycle (acquisition, configuration, maintenance and disposal)? | This question examines whether the organisation applies security measures to its IT assets at every stage of their lifecycle, from acquisition to disposal. This includes ensuring that assets are securely configured, maintained, and disposed of to prevent unauthorised access or data breaches. |
Have mobile devices, with access to company information been protected against unauthorised disclosure, loss and theft? | This question examines whether encryption is used to protect sensitive data both in storage (at rest) and during transmission (in transit). Encryption helps ensure that data remains confidential and protected from unauthorised access. |
Are all the business applications developed in accordance with an approved system development lifecycle? | This question evaluates whether the organisation uses a formal, approved system development lifecycle (SDLC) for developing its business applications. A well-defined SDLC ensures that security, performance, and compliance requirements are considered at every stage, from planning and design to development and deployment. |
Does the development process include applying good industry practice including information security during each stage of the lifecycle? | This question examines whether the organisation follows industry best practices, including security measures, during each phase of the system development lifecycle (SDLC). Adhering to best practices ensures that security risks are addressed early and consistently throughout the development process. |
Is outsourced software development managed to the level required by the organisation's development lifecycle standards? | This question assesses whether outsourced software development projects are held to the same standards as internal development efforts, following the organisation's established system development lifecycle (SDLC) practices. It ensures that external vendors meet the organisation’s security, quality, and compliance requirements. |
Are regular penetration testing of services conducted to identify application and infrastructure weaknesses. | This question examines whether the organisation conducts regular penetration testing of its applications and infrastructure to identify vulnerabilities. Penetration testing simulates real-world attacks, helping to uncover weaknesses in systems that could be exploited by malicious actors. |
Do you have a software solution in place to analyse software source code for errors and unspecified functionality? | This question evaluates whether the organisation has implemented a software tool that automatically analyses the source code of applications for errors, vulnerabilities, and unspecified functionality. Such tools, often referred to as static code analysis tools, help developers detect coding issues early in the development process. |
Do you have a software solution in place to scan web applications for security weaknesses. | This question determines whether the organisation has deployed a software solution to automatically scan web applications for security vulnerabilities. These tools help identify common security issues like cross-site scripting (XSS), SQL injection, and misconfigurations that could be exploited by attackers. |
Is there a secure development environment established for all phases of the system development lifecycle. | This question assesses whether the organisation has established a secure development environment that applies to all phases of the system development lifecycle (SDLC), from initial design through to deployment and maintenance. A secure environment includes controlled access, proper coding practices, and security checks at every stage. |
Is access to the environment and data restricted to authorised individuals based on role and limited to least privilege. | This question evaluates whether the organisation enforces access controls that limit access to systems and data based on the roles and responsibilities of individuals. The principle of least privilege ensures that users are granted the minimum level of access necessary to perform their duties, reducing the risk of unauthorised access and data breaches. |
Is the allocation and use of IT privileged access accounts restricted and controlled? | This question examines whether the organisation has strict controls over the allocation and usage of privileged access accounts. Privileged accounts, such as admin accounts, provide elevated access to critical systems and data, and therefore must be carefully managed to prevent misuse or security breaches. |
Does the organisation have multi-factor authentication in place for all high risk privileged account access? | This question examines whether multi-factor authentication (MFA) is implemented for accessing sensitive systems. MFA adds an extra layer of security by requiring users to provide additional verification beyond just a password. |
Are user access entitlements actively reviewed at intervals based on the criticality of the system and the risk appetite of the owner? | This question assesses whether the organisation periodically reviews user access entitlements to ensure that access permissions remain appropriate. The frequency of these reviews should be based on the criticality of the systems and the organisation's risk appetite. Regular reviews help ensure that access rights are kept up to date and aligned with job responsibilities, minimising the risk of unauthorised access. |
Is system security supported by performing regular backups, and tested restores. | This question evaluates whether the organisation has implemented a regular backup process and performs tests to ensure that data can be successfully restored when needed. Regular backups protect the organisation against data loss from cyber attacks, system failures, or accidental deletions, while testing restores ensures that backups are functional and reliable. |
Do you understand the data that is important for the delivery of essential services? | This question assesses whether the organisation has identified and understands the critical data required for delivering its essential services. Knowing which data is vital allows the organisation to prioritise its protection and ensure that it is readily available, secure, and properly managed to maintain business continuity and operational effectiveness. |
Does the organisation have a solution is in place to protect sensitive organisational information stored on mobile devices? | This question evaluates whether the organisation has implemented security solutions to protect sensitive information stored on mobile devices such as smartphones, tablets, and laptops. These solutions may include encryption, remote wipe capabilities, and mobile device management (MDM) to secure data in the event of loss, theft, or unauthorised access. |
Is there a solution is in place to monitor and control outbound traffic for potential information leakage? | This question assesses whether the organisation has implemented a solution to monitor and control outbound network traffic to detect and prevent information leakage. Such solutions, often part of Data Loss Prevention (DLP) systems, are designed to identify and block unauthorised or suspicious attempts to send sensitive data outside the organisation. |
Is there a solution is in place to prevent internal users from browsing untrusted or unacceptable Internet sites? | This question examines whether the organisation has implemented a solution, such as web filtering or proxy services, to prevent internal users from accessing untrusted or inappropriate websites. These solutions help protect the organisation from security risks, such as malware infections or data breaches, that could occur from visiting compromised or malicious sites. |
Are organisational networks are designed to segregate groups of services, applications and users (for example the use of DMZs, secure card data environments, datacentre networks and so on)? | This question evaluates whether the organisation’s networks are segmented to isolate different services, applications, and user groups. Network segmentation, including techniques such as using Demilitarised Zones (DMZs) and secure environments for sensitive data, enhances security by limiting access between different parts of the network and reducing the potential impact of a security breach. |
Are solutions are in place to monitor and detect potential intrusion on network interfaces to untrusted networks? | This question assesses whether the organisation has implemented intrusion detection and monitoring solutions on network interfaces connected to untrusted networks. These solutions help identify suspicious activity or unauthorised access attempts, allowing the organisation to respond promptly to potential security threats. |
Is the capability of internal systems and users to connect to untrusted networks is restricted by proxy servers, routing and firewall rules? | This question evaluates whether the organisation has implemented restrictions that control internal systems and user access to untrusted networks, such as the public internet. By using proxy servers, routing policies, and firewall rules, the organisation can limit and monitor outbound connections, reducing exposure to external threats. |
Are technical solutions in place to mitigate the risk of denial of service attack to critical services? | This question examines whether the organisation has implemented technical measures to protect its critical services from Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These attacks aim to overwhelm a service with traffic, rendering it unavailable. Mitigation strategies include traffic filtering, rate limiting, and DDoS protection services. |
Are all Third Party Suppliers profiled to determine their criticality from a risk perspective? | This question assesses whether the organisation profiles its third-party suppliers to determine their level of criticality from a risk management perspective. Profiling includes evaluating the supplier's role, the sensitivity of the data they handle, and their potential impact on the organisation’s operations. This helps prioritise security controls and monitoring efforts based on the supplier’s risk level. |
Are information security requirements included in contractual agreements with Third Party Suppliers and reviewed on a periodic basis? | This question evaluates whether the organisation includes specific information security requirements in its contracts with third-party suppliers. These requirements ensure that suppliers adhere to the organisation’s security policies and protect sensitive data. The contracts should also be reviewed periodically to ensure continued compliance with evolving security standards and regulations. |
Are reviews of new and existing Third-Party Suppliers carried out at defined intervals and based on their criticality? | This question assesses whether the organisation conducts regular reviews of its third-party suppliers, both new and existing, based on their criticality. These reviews help ensure that suppliers continue to meet the organisation’s security requirements and that any changes in risk are addressed promptly. |
Is the management of cryptographic assets established including having an inventory of keys and certificates? | This question examines whether the organisation has implemented a formal process for managing its cryptographic assets, such as encryption keys and digital certificates. This includes maintaining an inventory of all keys and certificates, ensuring they are securely stored, rotated regularly, and revoked when no longer needed. |
Are software solutions and established activities are in place to detect, prevent and recover from malware on platforms and end-points? | This question assesses whether the organisation has implemented software solutions and established procedures to detect, prevent, and recover from malware infections on its platforms and endpoints. These solutions may include anti-malware software, endpoint detection and response (EDR) systems, and regular security updates. |
Is there a set of standard secure build images for operational platforms that is maintained and stored in a controlled environment? | This question evaluates whether the organisation has developed and maintains a set of standard, secure build images for its operational platforms. These images are pre-configured with security best practices, reducing the risk of vulnerabilities, and are stored in a controlled environment to ensure integrity and consistency across deployments. |
Is an activity established to check information systems for compliance with industry best practice secure build standards? | This question examines whether the organisation has processes in place to regularly assess its information systems for compliance with industry best practice secure build standards. This includes evaluating systems to ensure they adhere to recognised security configurations and guidelines, such as those from CIS (Centre for Internet Security) or NIST. |
Do you carry out any Threat Management activities | This question examines whether the organisation actively conducts threat management activities, including identifying, assessing, and mitigating potential threats to its information systems. Threat management involves continuous monitoring, intelligence gathering, vulnerability assessments, and implementing appropriate countermeasures to minimise risks. |
Is there a software solution is in place to scan operational systems for software vulnerabilities? | This question evaluates whether the organisation uses a software solution to regularly scan its operational systems for software vulnerabilities. Such tools help identify potential security weaknesses in software and configurations, ensuring that these vulnerabilities are addressed before they can be exploited by malicious actors. |
Are identified vulnerabilities prioritised and remediated across your system estate? | This question assesses whether the organisation has a process in place to prioritise and remediate identified vulnerabilities across its system estate. Vulnerabilities should be assessed based on their severity, potential impact, and likelihood of exploitation, with higher-risk vulnerabilities being remediated more quickly to reduce exposure. |
Are audit logs captured for all systems? | This question examines whether the organisation ensures that audit logs are captured for all systems, including those critical to operations. Audit logs record system activities, such as access events, changes, and transactions, providing a trail that can be reviewed for security incidents, operational issues, or compliance requirements. |
Are logs are monitored via automated monitoring systems to generate consolidated reports and alerts on system security? | This question assesses whether the organisation utilises automated monitoring systems to continuously review audit logs, generate security reports, and trigger alerts in response to suspicious or anomalous activities. Automated log monitoring ensures that potential security threats are identified quickly and that relevant data is consolidated for easy analysis. |
Do you have incident response plans for the organisation. | This question evaluates whether the organisation has established formal incident response plans that outline the procedures to follow in the event of a security breach or other critical incidents. The plan should include steps for identifying, containing, eradicating, and recovering from incidents, as well as communication protocols and roles for the response team. |
Are incident response plans tested at least annually? | This question evaluates whether the organisation tests its incident response plans at least once a year. Regular testing, through simulated incidents or tabletop exercises, helps ensure that the response team is prepared and that the plan remains effective in handling various types of security incidents. |
Have all critical physical facilities and services been protected in line with a physical risk assessment? | This question assesses whether the organisation has conducted physical risk assessments for all critical facilities and services, and implemented appropriate security measures based on the identified risks. This includes securing data centres, server rooms, and other essential infrastructure to protect against theft, vandalism, and natural disasters. |
Is there a organisation wide business continuity (including disaster recovery) strategy in place which is supported by resilient technical infrastructure and incident response capability? | This question evaluates whether the organisation has a comprehensive business continuity strategy, including disaster recovery, that ensures operational resilience in the event of disruptions. The strategy should be supported by robust technical infrastructure and incident response capabilities to minimise downtime and ensure critical services are restored quickly. |
Have business continuity plans been developed, regularly updated and tested for critical applications and processes? | This question assesses whether the organisation has developed and regularly updates business continuity plans for its critical applications and processes. These plans should be tested periodically to ensure their effectiveness in maintaining or quickly restoring operations in the event of a disruption. |
Does the organisation have a consistent and structured information security assurance programme in place support by control testing? | This question checks if the organisation has a systematic approach to verifying the effectiveness of its security controls through regular reviews and testing, ensuring the protection of data and systems. |
Are the Board provided with an accurate and coherent view of risk across the business? | This question evaluates whether the Board is consistently updated with a comprehensive and understandable view of risks across the organisation, allowing for effective governance and risk management. |
Does the organisation carry out annual independent audits to determine the security status of the business? | This question checks if the organisation commissions independent audits annually to objectively evaluate its security controls and compliance with relevant standards and regulations. |
Does the organisation use metric to measure the effectiveness of its security capabilities? | This question evaluates whether the organisation uses specific metrics to regularly monitor and measure the performance of its security controls and capabilities. |
Does the organisation have the following anti-phishing capabilities: | This question evaluates whether the organisation has implemented key anti-phishing tools and training programmes to protect against phishing attacks, including flagging external emails, enabling anti-phishing filters, and conducting awareness training. |