Security Programme Maturity Assessment

ID-100265678

When there is a need to quickly determine where a company is standing in terms of the maturity of its security programme, I developed the below questionnaire which can be useful in this endeavour.

Question Status Comments Evidence
1. Information security policy
1.1 Is there an information security policy that is appropriate to the purpose of the organisation, gives a framework for setting objectives, and demonstrates commitment to meeting requirements and for continual improvement?
1.2 Is the policy documented and communicated to employees within the organisation and available to interested parties, as appropriate?
1.3 Is there an established ISMS policy that is ensuring the integration of the information security management system requirements into the organisation’s processes?
2. Information security risk assessment and treatment
2.1 Has an information security risk assessment process been defined and applied?
2.2 Is there an information security risk treatment process to select appropriate risk treatment options for the results of the information security risk assessment, and are controls determined to implement the risk treatment option chosen?
3. Planning and measuring
3.1 Are measurable information security objectives and targets established, documented and communicated throughout the organisation?
3.2 Does the organisation determine what needs to be done, when and by whom, in setting its objectives?
4 Internal audit
4.1 Does the organisation conduct internal audits at planned intervals to provide information on whether the information security management system conforms to requirements?
5. Management review
5.1 Does the leadership undertake a periodic review of the information security processes and controls, and ISMS?
6. Corrective action and continual improvement
6.1 Does the organisation react to the nonconformity and continually improve the suitability, adequacy and effectiveness of the information security management system?
7. Legal compliance
7.1 What security laws and data protection legislation apply to the organisation?

Download the full Questionnaire (with instructions)

Image courtesy Pong / FreeDigitalPhotos.net