Assessment Tests
Information Security Assessment Test

Information Security Assessment Test

Self assess your compliance readiness now.

Organisation Details

Fields marked with * are mandatory.

Questions

Context of the organization
Internal and external stakeholders
Have you identified the internal stakeholders, along with their requirements and painpoints?
Uncheck if not relevant.
Have you identified the external stakeholders, along with their requirements and painpoints?
Uncheck if not relevant.
Have you defined the scope of information security management system?
Uncheck if not relevant.
Have you listed the physical locations as part of the scope?
Uncheck if not relevant.
Leadership
Organization of ISMS
Have you established information security as a function in the organization, and empowered with adequate management responsibility?
Uncheck if not relevant.
Have you defined the roles and responsibility of information security stakeholders?
Uncheck if not relevant.
Have you established Objectives for Information security?
Uncheck if not relevant.
Have you defined Key performance Indicators for Information Security?
Uncheck if not relevant.
Have you formed an IT Steering Committee / Senior Managers committee to oversee information security management?
Uncheck if not relevant.
Do you plan to have IT Steering committee meeting atleast twice every year?
Uncheck if not relevant.
Have you documented an Information Security Policy for the organization?
Uncheck if not relevant.
Is the Information Security Policy approved by the management?
Uncheck if not relevant.
Have you communicated the High level information security policy to all staff in the organization?
Uncheck if not relevant.
Have you established a roadmap for information security?
Uncheck if not relevant.
Have you assigned the operational responsibility of performing information security tasks to various functions? (e.g.: Physical security, Risk Assessment, Patch Management)
Uncheck if not relevant.
Planning
Information Security Risk Assessment & Treatment
Have you identified information security risks?
Uncheck if not relevant.
Have you defined and practiced interface with enterprise risk management?
Uncheck if not relevant.
Do you have a documented procedure detailing risk management?
Uncheck if not relevant.
Do you possess and manage a risk register, to list and track information security risks?
Uncheck if not relevant.
Do you have documented approval note for accepting risks?
Uncheck if not relevant.
Have you identified risk owners for identified risks?
Uncheck if not relevant.
Do you perform periodic review of logged risks?
Uncheck if not relevant.
Do you have a statement of applicability?
Uncheck if not relevant.
Do you have documented risk treatment plans for identified risks?
Uncheck if not relevant.
Do you have the list of changes associated with mitigated risks?
Uncheck if not relevant.
Have you marked the CIs associated with changes associated with risks?
Uncheck if not relevant.
Do you have the evidence of approving the Statement of Applicability?
Uncheck if not relevant.
Planning
Information security objectives and planning to achieve them
Have you identified Key Performance Indicators (KPIs) for Information Security Management?
Uncheck if not relevant.
Have you linked KPIs with Objectives of ISMS
Uncheck if not relevant.
Have you defined targets against KPIs identified
Uncheck if not relevant.
Have you created a performance plan to achieve objectives?
Uncheck if not relevant.
Planning
Planning of changes
Do you follow the change management process and project management process to implement information security related changes?
Uncheck if not relevant.
Do you have a project management document?
Uncheck if not relevant.
Do you have sample change records?
Uncheck if not relevant.
Do you have evidence of approving changes and projects?
Uncheck if not relevant.
Support
Resources
Have you allocated dedicated resources for information security?
Uncheck if not relevant.
Do you have an approved version of Organization chart?
Uncheck if not relevant.
Have you created an independent division / section to manage information security?
Uncheck if not relevant.
Support
Competence
Have you identified the competencies required for Information Security?
Uncheck if not relevant.
Have you created a plan to acquire the above said competencies?
Uncheck if not relevant.
Do you have a procedure to track the acquisition of identified competencies?
Uncheck if not relevant.
Do you maintain the evidence of acquiring the competencies e.g.: training attendance, copies of certificates?
Uncheck if not relevant.
Support
Awareness
Do you have a policy and plan to conduct information security awareness training?
Uncheck if not relevant.
Do you keep the evidence of providing information security training for new joiners?
Uncheck if not relevant.
Do you store the evidence of providing annual information security training to all staff?
Uncheck if not relevant.
Do you maintain the evidence of awareness training such as attendance of training?
Uncheck if not relevant.
Support
Communication
Do you have a policy on communication of information security events to various stakeholders?
Uncheck if not relevant.
Do you have evidence of communicating major incidents to users?
Uncheck if not relevant.
Support
Documented information
Do you have an approved process for information security documentation management?
Uncheck if not relevant.
Do you have a defined procedure for managing third party owned documents?
Uncheck if not relevant.
Do you follow the Classification of documents?
Uncheck if not relevant.
Do you have a policy for document retention?
Uncheck if not relevant.
Do you have a policy for the storage of documents?
Uncheck if not relevant.
Do you follow the version control for documents?
Uncheck if not relevant.
Have you defined the policy for the approval of documents?
Uncheck if not relevant.
Do you review the documents on periodic basis, e.g.: yearly?
Uncheck if not relevant.
Operation
Risk assessment and treatment
Have you identified operational risks associated with information security?
Uncheck if not relevant.
Do you document treatment actions in risk register?
Uncheck if not relevant.
Performance Evaluation
Monitoring, measurement, analysis and evaluation
Do you monitor the information systems and create performance reports periodically?
Uncheck if not relevant.
Do you analyze the performance reports with stakeholders?
Uncheck if not relevant.
Do you log action items after the analysis?
Uncheck if not relevant.
Performance Evaluation
Internal Audit
Have you prepared an internal audit plan, to perform internal audit?
Uncheck if not relevant.
Have you defined the competency required by the auditors assigned for internal audit?
Uncheck if not relevant.
Do you have a process to validate the competencies of auditors?
Uncheck if not relevant.
Have you performed Internal audit and created internal audit report?
Uncheck if not relevant.
Do you maintain a corrective action report to track gaps identified in the audit?
Uncheck if not relevant.
Have you identified and logged actions taken to mitigate gaps identified during internal audit?
Uncheck if not relevant.
Performance Evaluation
Management Review
Have you scheduled periodic management review?
Uncheck if not relevant.
Do you prepare Minutes of Meeting, for Management Review?
Uncheck if not relevant.
Have you included the discussion of audit performance as the part of management review agenda?
Uncheck if not relevant.
Have you included the discussion of feedback from interested parties, as the part of management review agenda?
Uncheck if not relevant.
Have you included Information security performance monitoring as an item in the agenda of management review?
Uncheck if not relevant.
Improvement
Continual improvement
Do you track continual improvement initiatives identified by the organization?
Uncheck if not relevant.
Do you log actions taken on improvement initiatives?
Uncheck if not relevant.
Do you validate the benefits realized from continual improvement?
Uncheck if not relevant.
Improvement
Nonconformity and corrective action
Do you plan and log actions taken to mitigate nonconformities?
Uncheck if not relevant.
Organizational Controls
Organizational Controls
Have you established an information security policy
Uncheck if not relevant.
Have you defined the roles and responsibilities to manage information security?
Uncheck if not relevant.
Do you follow SoD matrix to manage roles and responsibilities associated with information security?
Uncheck if not relevant.
Do you monitor threats by collecting intelligence on information security threats
Uncheck if not relevant.
Do you have a documented procedure to capture information security requirements as part of project management?
Uncheck if not relevant.
Do you have an asset inventory or configuration management system?
Uncheck if not relevant.
Have you developed a schema to classify the information assets based on the level of secrecy of the information it holds?
Uncheck if not relevant.
Do you label the information assets following the asset classification?
Uncheck if not relevant.
Have you defined the security measures to be adopted while exchanging information with third parties?
Uncheck if not relevant.
Do you have a procedure to manage access such as provisioning, removing, or changing access levels?
Uncheck if not relevant.
Have you documented a password policy for the organization?
Uncheck if not relevant.
Have you identified risks associated with suppliers?
Uncheck if not relevant.
Do you have Non-Disclosure Agreements with third parties working with you?
Uncheck if not relevant.
Do you have technology to monitor endpoint security controls?
Uncheck if not relevant.
Do you have a detailed information security incident management process?
Uncheck if not relevant.
Have you established SOC monitoring to monitor information security events?
Uncheck if not relevant.
Do you have a Business Continuity Management Policy?
Uncheck if not relevant.
Have you identified parameters such as Recovery Time Objective and Recovery Point Objective for services
Uncheck if not relevant.
Have you tested services to validate response to business continuity events?
Uncheck if not relevant.
Have you identified legal and regulatory requirements?
Uncheck if not relevant.
Do you have an Intellectual Property Rights policy?
Uncheck if not relevant.
Have you documented the personal data protection policy for the organization?
Uncheck if not relevant.
Do you perform regular penetration testing of your network and applications at least annually?
Uncheck if not relevant.
Do you maintain standard operating procedures for information security and related activities?
Uncheck if not relevant.
People Controls
People Controls
Do you perform background verification of employees prior to joining your organization?
Uncheck if not relevant.
Do you list information security related responsibilities as part of the employment contract?
Uncheck if not relevant.
Do you provide information security awareness training for all new joiners?
Uncheck if not relevant.
Do you provide information security awareness training to all employees at least once a year?
Uncheck if not relevant.
Have you listed information security related policy violations as a cause for disciplinary action in the HR policy?
Uncheck if not relevant.
Do you require staff members to sign acceptable use policy?
Uncheck if not relevant.
Have you documented a remote working policy for staff members?
Uncheck if not relevant.
Do you have a policy to collect assets from resigned or terminated employees?
Uncheck if not relevant.
Do you have a documented process to track the separation process?
Uncheck if not relevant.
Physical Controls
Physical Controls
Do you have a policy to manage physical security?
Uncheck if not relevant.
Have you installed CCTV along your perimeters and at secure areas?
Uncheck if not relevant.
Do you have an access management system to monitor and manage physical access to premises?
Uncheck if not relevant.
Do you track assets entering or leaving your organization?
Uncheck if not relevant.
Do you have a building management system to monitor physical and environmental controls?
Uncheck if not relevant.
Do you maintain an asset inventory of physical and environmental controls?
Uncheck if not relevant.
Have you installed fire suppression systems?
Uncheck if not relevant.
Do you have maintenance contracts with vendors supporting physical and environmental controls?
Uncheck if not relevant.
Do you demarcate secure zones in the working area?
Uncheck if not relevant.
Do you have a clear desk and clear screen policy?
Uncheck if not relevant.
Have you defined a policy to manage assets located off-premise?
Uncheck if not relevant.
Do you have an asset disposal policy?
Uncheck if not relevant.
Do you perform failover testing of uninterrupted power supply?
Uncheck if not relevant.
Have you documented a standard for cabling?
Uncheck if not relevant.
Technological Controls
Technological Controls
Have you defined the baseline information security controls for end user devices?
Uncheck if not relevant.
Have you deviced a procedure to allow privileged access to information assets?
Uncheck if not relevant.
Do you review the system access on a quarterly basis?
Uncheck if not relevant.
Do you maintain a custodianship form for generic / system IDs that have privileged access to information assets?
Uncheck if not relevant.
Do you have capacity monitoring tools, configured to alert system administrators based on threshold definitions?
Uncheck if not relevant.
Do you have antimalware deployed over enduser and enterprise assets?
Uncheck if not relevant.
Do you practice monthly vulnerability assessment of your information assets?
Uncheck if not relevant.
Do you follow a defined process to wipe out data stored in information assets?
Uncheck if not relevant.
Do you have a practice of masking the secure data, if required by laws and regulations or business requirements?
Uncheck if not relevant.
Have you configured data leakage prevention solutions across information assets?
Uncheck if not relevant.
Do you maintain a schedule to backup data?
Uncheck if not relevant.
Do you perform periodic restoration testing and validations?
Uncheck if not relevant.
Do you move information system logs and application logs to a separate server?
Uncheck if not relevant.
Have you integrated your logs to security monitoring tools?
Uncheck if not relevant.
Have you synchronized the system time of information system to a single approved time source?
Uncheck if not relevant.
Have you documented a policy on how to manage the utility programs that can override the information security controls?
Uncheck if not relevant.
Do you provide endusers the privilege to install software, on their individual devices?
Uncheck if not relevant.
Have you seggregated your network to multiple smaller networks, with appropriate access restrictions?
Uncheck if not relevant.
Do you have an approved policy to manage networks and network devices securely?
Uncheck if not relevant.
Do you have a set of core and perimeter firewalls and other network security devices such as Intrussion prevention system?
Uncheck if not relevant.
Do you possess the capability to monitor VPN connectivity and to stop the connectivity, if required?
Uncheck if not relevant.
Do you encrypt the data at rest?
Uncheck if not relevant.
Do you have an approved secure development process to manage application development?
Uncheck if not relevant.
Do you perform security testing of developed applications?
Uncheck if not relevant.
Have you defined an architecture model for the organization, which include information security as a component?
Uncheck if not relevant.
Do you follow change management policy, to deploy changes in production?
Uncheck if not relevant.

Comments (if any)

Result Preview

After you submit the assessment form, summary charts and download button will appear here.

📊

Complete the form and click "Submit Assessment" to see your results

Call Now Button