Information Security System Questionnaire

Introduction

Welcome to the GRCReady IT Security self-assessment questionnaires. IT security assessments are a fundamental way to fight security threats as they help to significantly reduce outside attacks, as well as create awareness within the organisation so as to reduce vulnerability. As malware and hackers become more sophisticated, the corresponding security solutions needed to combat these threats are becoming more complex and need to be continually assessed. The potential for gaps and weaknesses is increasing, which is why organisations should aim to undergo a cyber vulnerability assessment at least once every two years or more often if new threats become prevalent. For those organisations that are struggling to know where to start, we recommend completing the Cyber Vulnerability Scorecard which will provide a ‘health check’ of current arrangements. For those organisations that have already committed to an Information Security Management System, undertaking any of the 18 ISMS topics will help you assess the effectiveness of those areas and identify opportunities for improvement.

Option 1. Cyber Vulnerability Assessment (CVA)

To help you better understand your organisation’s cyber vulnerability and identify steps to strengthen resilience to attacks, we have developed a free self-assessment questionnaire. The assessment allows organisations of all sizes to complete a comprehensive suite of questions aligned to globally recognised best practice frameworks, identifying weaknesses in systems and offering pre-emptive solutions. The scorecard includes 25 self-assessment questions that assess your current control environment, approach to assessing cyber risk, key control activities and mechanisms for internal/external communication. The questionnaire should take no longer than 10-15 minutes to complete, following which you will receive a concise and detailed report describing your current cyber risk status and critical exposures, with recommendations for reducing your cyber and compliance risks.

Option 2. Insider Threat Assessment (ITA)

Our insider threat assessment has been specifically designed to help you evaluate your data’s current level of protection against malicious and inadvertent insiders, determine potential risks to your business, and assess the likelihood and potential harm of each risk. Our free self-assessment questionnaire has been specifically designed to help you identify assets and data vulnerable to insider threats and highlight additional data security measures that you should consider implementing to create a more effective insider threat program. The assessment includes 35 questions and should take you no longer than 15-20 minutes to complete. Once you have completed the questionnaire, you will be able to generate a visual picture of the state of your organisation’s internal threat surface. You can then download a free report that highlights potential flaws in your current workflow and cybersecurity gaps that may allow malicious insiders to compromise your corporate systems. It can also help you evaluate if the business is ready to stand up to potential insider threats.

Option 3. Information Security Management System Assessment (ISMS)

For those organisations that are are already on their information security journey, we have developed a series of bespoke questionnaires. Each ISMS questionnaire consists of 10 questions covering 18 ISMS topics which have been aligned with the requirements of ISO/IEC 27001/2:2013. We have developed this framework as a basis for the analysis, development and enhancement of a leading practice Information Security Management System. These online self assessments provide a quick and easy evaluation to help you determine whether your ISMS is operating effectively or whether there is room for improvement. After completing each questionnaire, we will evaluate your responses and provide you with a personalised scorecard with recommended actions to help improve your ISMS practices. Once you have completed all of the questionnaires in your ISMS dashboard, you will be provided with a free consolidated scorecard summarising your organisation’s ISMS maturity.

Why Should I care about Information Security Management?

It is often challenging for even the most tech-savvy boards and company executives to keep up with the scope and pace of developments and risks related to big data, social media, cloud computing, IT implementations, cyber risk, and other technology matters. These developments carry a complex set of risks, and the most serious among them can compromise sensitive information and significantly disrupt business processes and the company’s reputation. Oversight of a properly implemented Information Security Management System (ISMS) requires proactive engagement and is often the responsibility of the board. In some organisations, a level of oversight may be delegated to a board Information Technology and Systems (ITS) sub-committee. By engaging in regular dialogue with the CIO, CISO, and other technology-focused leaders, the ITS committee can help business leaders determine where attention should be focused. Although information security is frequently on the board’s agenda, ITS committees are increasingly looking for ways to confirm that the governance processes to manage information are appropriate for the company’s needs and working effectively.

How to maximise value from the questionnaires

There are a number of ways to get the most out of the questionnaires. If you believe you have an informed perspective of the information security management in your organisation, you can complete your own assessment of how your organisation’s ISMS is performing. Alternatively, you can undertake the assessment with colleagues who have greater insight on the ISMS subject such as the CIO, CISO or CTO. There are also a number of free online live polling tools that you can use to enable others in the organisation to provide their informed view on the questions which may provide a broader organisational perspective. Finally, you can undertake a facilitated assessment with your professional services provider. Using their anonymous voting software in a workshop setting, you and your team will get a more complete picture of your organisation’s approach to information security management.

We take data security seriously

The GRCReady environment has been designed and built to comply with the Center for Internet Security (CIS) Amazon Web Services Foundations Benchmarks and follows the ‘Secure by Design’ (SBD) principles, ensuring that security controls are implemented within and across each component layer. Rest assured that any personal information you provide by registering to complete these questionnaires, including your response to the questions, will be protected by us in accordance with our privacy policy

About the questionnaires

With the exception of the Cyber Vulnerability Scorecard option, you will be asked to provide responses to 10 questions, each of which uses a five-point Likert scale ranging from 'strongly agree' to 'strongly disagree' to allow you to express how much you agree or disagree with a particular statement. The questionnaire should take no longer than 5 minutes to complete. Each question has been aligned with COSO (The Committee of Sponsoring Organisations of the Treadway Commission) which is a joint initiative of private sector organisations and is dedicated to providing thought leadership through the development of governance frameworks.

You will need to first register in order to complete the questionnaire and view the scorecard showing the results of your assessment. The results will be accompanied by some general comments on potential actions that can be taken to improve ISMS practices in your business. The potential actions listed on the scorecard should not be construed as providing legal or commercial advice. They are area(s) that have been identified by the ISMS assessment, where you may wish to seek professional advice or purchase documents, tools and resources to support further work in these area(s).

Completion of any of the questionnaires will help identify areas where you could do with a little support as well as provide practical tips to help improve your information security practices. With your permission, we may share the results of your ISMS questionnaires with your professional advisor to enable them to have an informed conversation to help improve your ISMS practices.

I consent to GRCReady sharing the results of my information security management evaluation questionnaires with my professional adviser.