ISO27k Information Security Program Assessmen

This assessment tool was created to evaluate the maturity of information security programs using as a framework the Inter
Technology Security Techniques. Code of Practice for Information Security Management." This tool was intended for use by
use it to help determine the maturity of its individual information security program. The assessment should be performed b
with the environment. There are a total of 101 questions and it takes on average about 4 hours to complete the assessmen

The self-assessment has been designed to be completed annually or at the frequency the organization feels is appropriate t
framework for scoring maturity, which scales from 0 to 5, with 5 being the highest level of maturity:

0. Not Performed
1. Performed Informally
2. Planned
3. Well Defined
4. Quantitatively Controlled
5. Continuously Improving

The organization can achieve the same maturity rating by substituting CMMI, NIST, COBIT, or another maturity framework t
for the ISO 21827:2008 maturity levels and the other ratings can be found on the "Scoring" tab of the spreadsheet. Each qu
desired level of maturity, from 0 through 5. Each ISO section will be added up, then averaged to provide a maturity assessm

Below is a summary of the focus of each section used in the tool:

Information Security Policies (ISO 5): Assess how an organization expresses its intent with regard to information security.
Organization of Information Security (ISO 6): Assess how an organization manages its information security across the entir
and provides overall direction.
Human Resource Security (ISO 7): Assess an organization's safeguards and processes for ensuring that all employees are qu
and that access is removed once employment is terminated.
Asset Management (ISO 8): Assess an organization's asset management program. Does it include ways to identify, track, cla
adequately protected?
Access Control (ISO 9): Assess an organization's use of administrative, physical, or technical security features to manage ho
resources.
Cryptography (ISO 10): Assess an organization's policies on the use of cryptography (encryption) and key management.
Physical and Environmental Security (ISO 11): Assess an organization's steps taken to protect systems, buildings, and relate
environment.
Operations Security (ISO 12): Assess an organization's formalized policies, procedures, and controls, which assist in data an
Communications Security (ISO 13): Assess an organization's formalized policies, procedures, and controls, which assist in n
System Acquisition, Development, and Maintenance (ISO 14): Assess whether an organization has security requirements e
information system.
Supplier Relationships (ISO 15): Assess how an organization interacts with third parties to adequately secure the informatio
Information Security Incident Management (ISO 16): Assess an organization's information security incident management p
to detect, report, and respond to adverse events.
Information Security Aspects of Business Continuity Management (ISO 17): Assess an organization's business continuity m
development of procedures to ensure the continuity of operations under extraordinary circumstances including the mainte
resources.
Compliance (ISO 18): Assess an organization's processes for staying current with legal and contractual requirements to prot

© ISO27k Forum & EDUCAUSE 2018

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives

The copyright in parts of this document belong to ISO/IEC. They own the standards! We are reliant on the fair use provision
content here, encouraging widespread adoption of the ISO27k standards.

Brought to You by the ISO27k Forum, EDUCAUSE Cybersecurity Program, and the Higher Education Information Security
This assessment tool is a fork contributed to the ISO27k toolkit based on HEISCJuly2018 (Information Security Program Asse
created by volunteers from the Higher Education Information Security Council (HEISC). The Cybersecurity Program supports
governance, compliance, data protection, and privacy programs. HEISC is a volunteer effort open to all higher education inf
additional resources at https://educause.edu/security. For any feedback related to the tool, send an email to security-coun

Revision History
11/15/2018. Initial release, contributed by Bachir Benyammi and revised by Valerie Vogel
Brought to You by the ISO27k Forum, EDUCAUSE Cybersecurity Program, and the Higher Education Information Security
This assessment tool is a fork contributed to the ISO27k toolkit based on HEISCJuly2018 (Information Security Program Asse
created by volunteers from the Higher Education Information Security Council (HEISC). The Cybersecurity Program supports
governance, compliance, data protection, and privacy programs. HEISC is a volunteer effort open to all higher education inf
additional resources at https://educause.edu/security. For any feedback related to the tool, send an email to security-coun
Revision History
11/15/2018. Initial release, contributed by Bachir Benyammi and revised by Valerie Vogel
ecurity Program Assessment Tool
ng as a framework the International Organization for Standardization (ISO) 27002:2013 " Information
ool was intended for use by any organization as a whole, although a unit within an organization may also
ment should be performed by an information security officer, consultant, auditor, or equivalent, familiar
to complete the assessment.

ization feels is appropriate to track its security maturity. The assessment tool uses the ISO 21827:2008
rity:

other maturity framework that may be more familiar, with the same numeric 0 through 5 score. Definitions
of the spreadsheet. Each question should be answered by selecting the appropriate current as well as
provide a maturity assessment for the given section.

rd to information security.
on security across the entire enterprise, including how the organizational leadership commits its support

ng that all employees are qualified for and understand their roles and responsibilities of their job duties

de ways to identify, track, classify, and assign ownership for the most important assets to ensure they are

urity features to manage how users and systems communicate and interact with other information
) and key management.
ystems, buildings, and related supporting infrastructure against threats associated with their physical

rols, which assist in data and system protection.

d controls, which assist in network management and operation.
has security requirements established as an integral part of the development or implementation of an
uately secure the information and technology resources that third parties access, process, and manage.
rity incident management program. An effective program will ensure personnel are trained and equipped

tion's business continuity management. A mature institution has a managed, organized method for the
tances including the maintenance of measures to ensure the privacy and security of its information
actual requirements to protect sensitive information assets.

nCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0)

ant on the fair use provisions of copyright law and the goodwill of ISO/IEC to reproduce a small part of their

ation Information Security Council

ation Security Program Assessment Tool) which is a part of the EDUCAUSE Cybersecurity Program and
ersecurity Program supports higher education institutions as they improve information security
n to all higher education information security, privacy, and other IT professionals. Learn more and view
d an email to security-council@educause.edu.
ation Information Security Council
ation Security Program Assessment Tool) which is a part of the EDUCAUSE Cybersecurity Program and
ersecurity Program supports higher education institutions as they improve information security
n to all higher education information security, privacy, and other IT professionals. Learn more and view
d an email to security-council@educause.edu.
Score ISO/IEC 21827:2008 Definition
There are no security controls or plans in place. The controls are CMMI NIST COBIT
0 Not Performed nonexistent. Non-existent Non-existent Non-existent

Base practices of the control area are generally performed on an ad hoc

1 Performed Informally
2 Planned
3 Well Defined
4 Quantitatively Controlled
basis. There is general agreement within the organization that identified
actions should be performed, and they are performed when required. The
practices are not formally adopted, tracked, and reported on. Initial Policies Initial/Ad-hoc
The base requirements for the control area are planned, implemented, and
repeatable. Managed Procedures Repeatable but Intuitive
The primary distinction from Level 2, Planned and Tracked, is that in
addition to being repeatable the processes used are more mature:
documented, approved, and implemented organization-wide. Defined Implementation Defined Process
The primary distinction from Level 3, Well Defined, is that the process is
measured and verified (e.g., auditable). Quantitatively Managed Test Managed & Measurable

The primary distinction from Level 4, Quantitatively Controlled, is that the

defined, standard processes are regularly reviewed and updated.
Improvements reflect an understanding of, and response to, a
5 Continuously Improving vulnerability's impact. Optimized Integration Optimized
INSTITUTION NAME GOES HERE 02/24/2022 6

ID Current Current Desired Desired

Questions Description
No. Maturity Level Score Maturity Level Score
Risk Management (ISO 27005:2011)
0.00 0.00

1 Does the organization have a person or group has the role and responsibility for an ongoing process of e.g., Risk management program.
evaluating the probability that known threats will exploit vulnerabilities and the resulting the impact on
valuable assets. Risk management also assigns relative priorities for mitigation plans and implementation. Not Performed 0 Not Performed 0

2 Does the organization have a process for identifying and assessing reasonably foreseeable internal and
external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records
containing sensitive information? Not Performed 0 Not Performed 0

3 Does the organization conduct routine risk assessments to identify the key objectives that need to be
supported by the information security program? Not Performed 0 Not Performed 0

Information Security Policies (ISO 5)

0.00 0.00

4 Does the organization have an information security policy that has been approved by management? A published policy that has been approved by upper management.
Not Performed 0 Not Performed 0

5 Has the security policy been published and communicated to all relevant parties? Is it freely available on a website, handbook, or is shared with employees when they are first hired?
Not Performed 0 Not Performed 0

6 Does the organization review the security policy at defined intervals to encompass significant change and Is the policy being audited as well as audited against it during a defined interval?
monitor for compliance? Not Performed 0 Not Performed 0

Organization of Information Security (ISO 6)

0.00 0.00

7 Does the information security function have the authority it needs to manage and ensure compliance with Does the individual or group responsible for information security have the necessary buy-in and
the information security program? support from the rest of the organization to fulfill its function, including setting policy, issuing
sanctions, prioritizing funding, etc.? Not Performed 0 Not Performed 0

8 Does the organization have an individual with enterprise-wide information security responsibility and Is there a dedicated, established role (e.g., CIO, CISO, CSO, or other) for information security across
authority written in their job description, or equivalent? the organization? Someplace where the 'buck stops'? Not Performed 0 Not Performed 0

9 Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes, Information security comprises many different functional areas. Have resources been formally
and audits? designated to cover each of the areas mentioned? Not Performed 0 Not Performed 0

10 Is there a formal process for having the individual with information security responsibility assess and sign off Is information security assessment a formal part of the life cycle when bringing in new equipment,
on appropriate hardware, software, and services, ensuring they follow security policies and requirements? software, and/or services? Not Performed 0 Not Performed 0

11 Does the organization maintain relationships with local authorities? e.g., local law enforcement bodies (police, security agencies, district attorney's office, etc.)
Not Performed 0 Not Performed 0

12 Does the organization participate with local, national or international security groups, associations and e.g., InfraGard, ISACA, ISSA, ENISA, ANSSI, etc.
agencies? Not Performed 0 Not Performed 0

13 Does the organization have independent security reviews completed at planned intervals or when significant e.g., external audits, penetration tests, scans, etc.
changes to the environment occur? Not Performed 0 Not Performed 0

Human Resource Security (ISO 7)

0.00 0.00

14 Do all individuals interacting with the organization information system receive information security Online, in person, or a combination of events, newsletters, e-mails, etc., with security awareness
awareness training? training. Threshold is defined by organization and compliance requirements. Not Performed 0 Not Performed 0

15 Does the organization conduct specialized role-based training? For example, HIPAA for staff in the counseling center or PCI training for cashiers.
Not Performed 0 Not Performed 0

16 Do the information security programs clearly state responsibilities, liabilities, and consequences? Are employee responsibilities, liabilities (impediments to successfully carrying out responsibilities),
and penalties for noncompliance clearly outlined and communicated? Not Performed 0 Not Performed 0

17 Does the organization have a process for revoking system and building access and returning assigned assets? For example, an off-boarding process that requires sign-off and debrief.
Not Performed 0 Not Performed 0

18 Does the organization have a process for revoking system access when there is a position change or when Identity and access management system that automates revocation or a manual process that
responsibilities change? processes employment or role changes and produces auditable records of any changes. Not Performed 0 Not Performed 0

Asset Management (ISO 8)

0.00 0.00

19 Has the organization identified critical information assets and the functions that rely on them? This question is looking at whether a formal or informal business impact analysis has occurred. Has
anyone in the organization identified information assets that are considered essential to the
business and the systems that support them, for continuity or otherwise? Not Performed 0 Not Performed 0

20 Does the organization classify information to indicate the appropriate levels of information security? Agreed-upon classifications (for example, confidential, official-use only, and unrestricted) are
defined and applied. Not Performed 0 Not Performed 0
INSTITUTION NAME GOES HERE 02/24/2022 7

Access Control (ISO 9)

0.00 0.00

21 Does the organization have an access control policy for authorizing and revoking access rights to information
systems? Not Performed 0 Not Performed 0

22 Does the organization have a process in place for granting and revoking appropriate user access?
Not Performed 0 Not Performed 0

23 Does the organization have a password management program that follows current security standards? A password management program enforces secure password attributes such as password length,
maximum age, character requirements, and uniqueness (history). Not Performed 0 Not Performed 0

24 Does the organization have procedures to regularly review users' access to ensure only needed privileges are
applied? Not Performed 0 Not Performed 0

25 Does the organization employ specific measures to secure remote access services? Specific measures might include allowed methods, usage restrictions, monitoring, authorization,
and enforcement. Not Performed 0 Not Performed 0

26 Does the organization employ technologies to block or restrict unencrypted sensitive information from
traveling to untrusted networks? Not Performed 0 Not Performed 0

27 Does the organization have mechanisms in place to manage digital identities (accounts, keys, tokens) Digital identities should be managed from the time they are issued, upon any privilege changes, and
throughout their life cycle, from registration through termination? through termination. Management includes things like issuing unique accounts should be unique Not Performed 0 Not Performed 0
for each user maintaining the minimum privileges needed to perform job duties.
28 Is there a policy in place to restrict the sharing of passwords?
Not Performed 0 Not Performed 0

29 Does the organization prohibit use of generic accounts with privileged access to systems? A generic account is one that is shared by multiple individuals. There are certain situations in which
generic accounts cannot be avoided (e.g., root for Linux or Administrator for Windows). In these Not Performed 0 Not Performed 0
cases compensating controls should be put in place, such as logging.
30 Does the organization have an authentication system in place that applies higher levels of authentication to Having more secure authentication mechanisms such as more complex passwords or multifactor
protect resources with higher levels of sensitivity? authentication. Not Performed 0 Not Performed 0

31 Does the organization have an authorization system that enforces time limits lockout on login failure and What is the length of time the account is locked before it is 'automatically' unlocked?
defaults to minimum privileges? Not Performed 0 Not Performed 0

32 Does the organization have standards for isolating sensitive data and procedures and technologies in place to
protect it from unauthorized access and tampering? Not Performed 0 Not Performed 0

33 Does the organization have usage guidance established for mobile computing devices (regardless of e.g., BYOD policy
ownership) that store, process, or transmit organizational data? Not Performed 0 Not Performed 0

34 Does the organization require encryption on mobile (i.e., laptops, tablets, etc.) computing devices?
Not Performed 0 Not Performed 0

35 Does the organization have a telework (remote work) policy that addresses multifactor access and security Authentication factors include something you know, something you have, or something you are.
requirements for the endpoint used? Not Performed 0 Not Performed 0

Cryptography (ISO 10)

0.00 0.00

36 Does the organization use appropriate or vetted encryption methods to protect sensitive data in transit? Some encryption algorithms are deprecated due to weaknesses. Some algorithms are inappropriate
in selected situations. Do you review these details? Not Performed 0 Not Performed 0

37 Do the policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive or confidential Are there any published security standards in place that dictate appropriate security controls based
data, etc.)? on data sensitivity or classification? Do those standards include encryption controls? Not Performed 0 Not Performed 0

38 Are standards for key management documented and employed? Are there any specific required algorithms in place for encryption and digital signing? Are there any
standards in place for symmetric and asymmetric key sizes ? Are encryption keys required to be Not Performed 0 Not Performed 0
periodically changed? Are there any procedures for revoking encryption keys?
Physical and Environmental Security (ISO 11)
0.00 0.00

39 Does the organization's data centers include controls to ensure that only authorized parties are allowed e.g., escort required, biometrics, cameras, badges, etc.
physical access? Not Performed 0 Not Performed 0

40 Does the organization have preventative measures in place to protect critical hardware and wiring from such as redundancy and backup plans, procedures, and technology that are in place to restore
natural and man-made threats? operations in case of disaster" Not Performed 0 Not Performed 0

41 Does the organization have a process for issuing keys, codes, and/or cards that require appropriate Documentation and staff are assigned responsibility for authorizing, facilitating, or performing
authorization and background checks for access to these sensitive facilities? background checks and issuing devices or codes that provide access once authorization is received.
Evidence that process has been followed and is routinely audited against. Not Performed 0 Not Performed 0

42 Does the organization follow vendor-recommended guidance for maintaining equipment? Such as minimum system requirements, maintenance schedules, etc.
Not Performed 0 Not Performed 0

43 Does the organization have a media-sanitization process that is applied to equipment prior to disposal, reuse, Documented process that describes how media is sanitized through contract or assigned staff use
or release? approved methods. In some cases verified or certified disposal may be appropriate. Not Performed 0 Not Performed 0

44 Are there processes in place to detect the unauthorized removal of equipment, information, or software? Routine review of inventories, staff assigned to respond to alarms, staff visually monitoring,
cameras being reviewed. Not Performed 0 Not Performed 0

Operations Security (ISO 12)

0.00 0.00
INSTITUTION NAME GOES HERE 02/24/2022 8

45 Does the organization maintain security configuration standards for information systems and applications? How mature are the 'hardening' standards for various platforms to provide stronger security
settings than provided as-shipped? Not Performed 0 Not Performed 0

46 Are changes to information systems tested, authorized, and reported? Is there any change control process in place for production systems such that changes are simply
not made 'on the fly' by programmers, system administrators, DBAs, or others ? Not Performed 0 Not Performed 0

47 Are duties sufficiently segregated to ensure unintentional or unauthorized modification of information is How good is the separation of duties? Do developers have access to production? DBAs unaudited
detected? access to production databases? Not Performed 0 Not Performed 0

48 Are production systems separated from other stages of the development life cycle? On separate platforms? Separate access control? Monitored more carefully?
Not Performed 0 Not Performed 0

49 Does the organization have processes in place to monitor the utilization of key system resources and to For example, monitoring CPU utilization and free disk space across a range of production systems.
mitigate the risk of system downtime? Not Performed 0 Not Performed 0

50 Are methods used to detect, quarantine, and eradicate known malicious code on information systems Antivirus and similar. Note that malicious code includes 'logic bombs' planted by malicious insiders.
including workstations, servers, and mobile computing devices? Not Performed 0 Not Performed 0

51 Are methods used to detect and eradicate known malicious code transported by electronic mail, the web, or Anti-malware in e-mail gateways, web proxies, and endpoints.
removable media? Not Performed 0 Not Performed 0

52 Is the data backup process frequency consistent with the availability requirements of the organization? If the data has to be restore, is it backed up frequently enough that nothing important would be
lost? Not Performed 0 Not Performed 0

53 Does the organization have a process for posture checking, such as current antivirus software, firewall This is sometimes known as Network Admission/Access Control (NAC).
enabled, OS patch level, etc., of devices as they connect to your network? Not Performed 0 Not Performed 0

54 Does the organization have a segmented network architecture to provide different levels of security based Does more sensitive information use a separate portion of the network?
on the information's classification? Not Performed 0 Not Performed 0

55 Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS, host IDS, Note that an 'all-in-one' or 'multifunction' or 'next-generation firewall' device provides multiple
application IDS)? layers in one piece of hardware, the question is about functionality, not number of boxes. Not Performed 0 Not Performed 0

56 Are controls in place to protect, track, and report status of media that has been removed from secure Is the removal of media from the site documented in a log? Note that this is for 'secure sites', so it
organization sites? covers taking tapes from a data center, not thumb drives from an office. Not Performed 0 Not Performed 0

57 Does the organization have a process in place to ensure data related to electronic commerce (e-commerce) Credit cards, bank transfers, electronic purchase orders, etc.
traversing public networks is protected from fraudulent activity, unauthorized disclosure, or modification? Not Performed 0 Not Performed 0

58 Are security-related activities such as hardware configuration changes, software configuration changes, This includes both logging by the operating system/software and other logging, such as in a
access attempts, and authorization and privilege assignments automatically logged? ticketing system or knowledgebase. Not Performed 0 Not Performed 0

59 Does the organization have a process for routinely monitoring logs to detect unauthorized and anomalous
activities? Not Performed 0 Not Performed 0

60 Does the organization record the log reviews (recertification/attestation)? It is desirable to record that someone reviews logs or log summaries.
Not Performed 0 Not Performed 0

61 Are steps taken to secure log data to prevent unauthorized access and tampering? This includes techniques such as remote logging to another system.
Not Performed 0 Not Performed 0

62 Does the organization regularly review administrative and operative access to audit logs? Logs can be manipulated to cover up malicious activity.
Not Performed 0 Not Performed 0

63 Are file-integrity monitoring tools used to alert personnel to unauthorized modification of critical system
files, configuration files, or content files and to configure the software to perform critical file comparisons at Not Performed 0 Not Performed 0
least weekly?

64 Does the organization have a process to ensure synchronization of system clocks with an authoritative source Time synchronization using atomic clocks or network time sources.
(e.g., via NTP) on a periodic basis commensurate with the potential risks? Not Performed 0 Not Performed 0

Communications Security (ISO 13)

0.00 0.00

65 Does the organization require the use of confidentiality or nondisclosure agreements for employees and
third parties? Not Performed 0 Not Performed 0

66 Does the organization routinely test your restore procedures? Backups sometimes fail, and staff sometimes aren't familiar with restore procedures in a crisis.
Testing mitigates these issues. Not Performed 0 Not Performed 0

67 Does the organization continuously monitor your wired and wireless networks for unauthorized access? By unauthorized users and for unauthorized fake access points or devices manipulating traffic.
Not Performed 0 Not Performed 0

68 Does the organization have policies and procedures in place to protect exchanged information (within the Data 'feeds' between systems and organizations are frequently a weak point. How strongly does
organization and in third-party agreements) from interception, copying, modification, misrouting, and such all feeds are being secured and monitored? Not Performed 0 Not Performed 0
destruction?
69 Does the organization ensure that user access to diagnostic and configuration ports is restricted to
authorized individuals and applications? Not Performed 0 Not Performed 0

70 Does the organization employ specific measures to prevent and detect rogue access points for all of your
wireless LANs? Not Performed 0 Not Performed 0

Systems Acquisition, Development, and Maintenance (ISO 14)

0.00 0.00

71 Does the organization have a process for validating the security of purchased software products and services? e.g., review of security settings/posture and evaluation/audit of those settings.
Not Performed 0 Not Performed 0
INSTITUTION NAME GOES HERE 02/24/2022 9

72 Are new information systems or enhancements to existing information systems validated against defined e.g., CIS audit benchmarks
security requirements? Not Performed 0 Not Performed 0

73 Have standards been established that address secure coding practices (e.g., input validation, proper error e.g., OWASP secure development framework
handling, session management, etc.), and take into consideration common application security vulnerabilities
(e.g., CSRF, XSS, code injection, etc.)? Not Performed 0 Not Performed 0

74 Are validation checks incorporated into applications to detect any corruption of information through Do applications filter input (i.e., input validation) to ensure only expected characters are processed
processing errors or deliberate acts? (e.g., only numbers are entered into a zip code field)? Do applications check size and format of data
(e.g., does an SSN appear as ###-##-####)? Not Performed 0 Not Performed 0

75 Are processes in place to check whether message integrity is required? Integrity controls are often employed inline with encryption controls for sensitive data
transmission. Are there any published security standards in place that dictate appropriate security
controls based on data sensitivity or classification? Do those standards include integrity controls Not Performed 0 Not Performed 0
(e.g., digital signing)?

76 Incorrect output may occur, even in tested systems. Does the organization have validation checks to ensure Do applications perform checks to ensure output is reasonable and expected (i.e., output
data output is as expected? validation)? Is sensitive data redacted in output (e.g., replace first five of SSN with asterisks). Not Performed 0 Not Performed 0

77 Does the organization establishes procedures for maintaining source code during the development life cycle Does the organization maintains a source code repository? Does the repository maintain a history?
and while in production to reduce the risk of software corruption? Are checksums for source code maintained? Not Performed 0 Not Performed 0

78 Does the organization applies the same security standards for sensitive test data that applies to sensitive Data should be safeguarded based on its classification or level of sensitivity, not based on the type
production data as well? of environment that is storing and/or processing the data. Does the organization have a data
classification scheme? Are safeguards prescribed based on data classification? Not Performed 0 Not Performed 0

79 Does the organization restrict and monitor access to source code libraries to reduce the risk of corruption? Does the organization maintains a source code repository? Does this source code repository require
authentication? Is access to source code based on the rule of least privilege? Is access to source
code audited? Not Performed 0 Not Performed 0

80 Does the organization have a configuration-management process in place to ensure that changes to critical Are changes to critical systems documented? Does this documentation include a business case? Are
systems are for valid business reasons and have received proper authorization? changes reviewed and approved by management prior to implementation? Are changes accepted
by the system or application owner? Not Performed 0 Not Performed 0

81 Are reviews and tests performed to ensure that changes made to production systems do not have an adverse Are changes evaluated for impact on existing security controls? Are vulnerability scans performed
impact on security or operations? after a change has been implemented? Is more thorough testing performed on an annual basis? Are Not Performed 0 Not Performed 0
business continuity and disaster recovery plans updated as appropriate?
82 Does the organization implemented tools and procedures to monitor for and prevent loss of sensitive data? Tools and procedures may include IDS/IPS, network flow monitoring tools (e.g., NetFlow, Argus,
etc.), data loss prevention or content monitoring solutions for Internet and/or e-mail gateways,
masking of sensitive data where there is not a business need, multifactor authentication to systems Not Performed 0 Not Performed 0
that store sensitive data, physical access controls for facilities that store sensitive data, etc.

83 Do contract agreements include security requirements for outsourced software development? Is it required for source code to be escrowed? Do the right to audit the quality and security of
source code is reserved? Do the ownership of intellectual property is established? Is the notice of
security breaches required? Not Performed 0 Not Performed 0

84 Does the organization have a patch management strategy in place and responsibilities assigned for
monitoring and promptly responding to patch releases, security bulletins, and vulnerability reports?
Is there any accurate inventory of software systems in place? Are there any alert mechanisms
established for newly discovered vulnerabilities in these software systems? Are there any processes
in place for evaluating the criticality of newly released security patches? Are there any maintenance
schedules and exception procedures established for critical security patches? Are there any regular Not Performed 0 Not Performed 0
system scans for vulnerabilities and report findings to system and/or application owners?

Supplier Relationships (ISO 15)

0.00 0.00

85 Does the organization specify security requirements in contracts with external entities (third party) before How does much the organization formalized outsider access to its resources (e.g., networks,
granting access to sensitive organizational information assets? systems, data) is secured? Not Performed 0 Not Performed 0

86 Are requirements addressed and remediated prior to granting access to data, assets, and information e.g., Does the organization have controls in place that detect failure to meet minimum
systems? requirements and block access until such deficiencies are corrected? Not Performed 0 Not Performed 0

87 Do agreements for external information system services specify appropriate security requirements? For example, security requirements described in service providers' contracts.
Not Performed 0 Not Performed 0

88 Does the organization have a process in place for assessing that external information system providers Does the organization performs risk assessments or reviews of external vendors prior to working
comply with appropriate security requirements? with them? Not Performed 0 Not Performed 0

89 Is external information system services provider compliance with security controls monitored? Does the organization audits or otherwise monitors the security of external vendors over time?
Not Performed 0 Not Performed 0

90 Are external information system service agreements executed and routinely reviewed to ensure security For example, contracts undergo an annual security review.
requirements are current? Not Performed 0 Not Performed 0

Information Security Incident Management (ISO 16)

0.00 0.00

91 Are incident-handling procedures in place to report and respond to security events throughout the incident
life cycle, including the definition of roles and responsibilities? Not Performed 0 Not Performed 0

92 Are the incident response staff aware of legal or compliance requirements surrounding evidence collection?
Not Performed 0 Not Performed 0
INSTITUTION NAME GOES HERE 02/24/2022 10

Information Security Aspects of Business Continuity Management (ISO 17)

0.00 0.00

93 Does the organization have a documented business continuity plan for information technology that is based Is there any well-defined IT disaster recovery plan in place, supporting business continuity plan,
on a business impact analysis, is periodically tested, and has been reviewed and approved by senior staff or and/or incident response plan? Is it being tested on a regular basis, either by holding table top
the board of trustees? exercises or through an actual working exercise that involves recovering data according to the
published plan? Has this plan been vetted by business partners and/or trustees by validating the Not Performed 0 Not Performed 0
results of a business impact analysis?

Compliance (ISO 18)

0.00 0.00

94 Does the organization have a records management or data governance policy that addresses the life cycle of Also known as a Data Retention Policy.
both paper and electronic records at your organization? Not Performed 0 Not Performed 0

95 Does the organization have an enforceable data protection policy that covers personally identifiable Does the organization defined data classes, such as confidential, secure, protected, etc.? Are there
information (PII)? well-defined policies around these data types noting how the data should be stored and used? Not Performed 0 Not Performed 0

96 Does the organization have an Acceptable Use Policy that defines misuse? Misuse of data or resources.
Not Performed 0 Not Performed 0

97 Does the organization provide guidance for the community on export control laws? Are these policies published on a website or handbook? Is there a well-known subject matter
expert who can be consulted if questions arise? Not Performed 0 Not Performed 0

98 Are standard operating procedures periodically evaluated for compliance with the organization's security Are there any checks for departments' procedures against the latest organization policies to make
policies, standards, and procedures? sure they do not introduce exposures to their data or risk into their environment? Not Performed 0 Not Performed 0

99 Does the organization perform periodic application and network layer vulnerability testing or penetration Is there any regular penetration testing that is being perform? Are there any tools that check for
testing against critical information systems? vulnerabilities are being used on a regular basis? Not Performed 0 Not Performed 0

100 Does the organization performs independent audits on information systems to identify strengths and Are there any outside auditors or firms being called to validate data security?
weaknesses? Not Performed 0 Not Performed 0

101 Are audit tools properly separated from development and operational system environments to prevent any Are audit tools being kept away from unauthorized personnel so they can't find out about where
misuse or compromise? the vulnerabilities may be and how to exploit them? Not Performed 0 Not Performed 0

Average maturity (percentage & levels) 0% Current State 0.00 Desired State 0.00
INSTITUTION NAME GOES HERE 02/24/2022 11

Notes
ID No. # ISO 27002:2013 NIST SP 800-53 r4 Controls NIST 800-171 r1 Controls
Risk Management (ISO 27005:2011)
1 No direct mapping, see ISO 27005 (risk management) RA-1 3.11.1
2 No direct mapping, see ISO 27005 (risk management) RA-2 3.11.1
3 No direct mapping, see ISO 27005 (risk management) RA-3 3.11.1
Information Security Policies (ISO 5)
4 5. Information Security Policies PL Family
5 5.1 Management direction for information security PL Family
6 5.1.1 Policies for information security PL Family 3.12.4
Organization of Information Security (ISO 6)
7 7.2.1 Management responsibilities PM-2, PM-3, PM-9; SP 800-39,SP 800-37
8 Deleted from ISO 27002:2013 CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-
2;SP 800-39, SP 800-37
9 6.1.1 Information security roles and responsibilities AC-5, AC-6, CM-9, PM-2; SP 800-39, SP
800-37
10 Deleted from ISO 27002:2013 CA-1, CA-6, PM-10; SP 800-37
11 6.1.3 Contact with authorities Multiple controls with contact reference
(e.g.,IR-6, SI-5), SP 800-39; SP 800-37
12 6.1.4 Contact with special interest groups AT-5, SI-5
13 18.2.1 Independent review of information security CA-2, CA-7; SP 800-39, SP 800-37
Human Resource Security (ISO 7)
14 7.2.2 Information security awareness, education and AT-2, AT-3, IR-2 3.2.1; 3.2.2
training
15 7.2.3 Disciplinary process AT-3, PS-8
16 7.3 Termination and change of employment PS-4
17 7.3.1 Termination or change of employment AC-2, PS-4, PS-5, PE-3
responsibilities
8.1.4 Return of assets
9.2.6 Removal or adjustment of access rights
11.1 Secure areas
11.1.1 Physical security perimeter

18 11.1.2 Physical entry controls PE-3, PE-4, PE-5, PE-6

11.1.3 Securing offices, room and facilities
Asset Management (ISO 8)
19 8.1.1 Inventory of assets CM-8, CM-9, PM-5 3.4.1
20 8.1.2 Ownership of assets CM-8, CM-9, PM-5, AC-16, AC-20, PL-4, 3.4.1
RA-2, MP-2, MP-3, SC-16
Access Control (ISO 9)
21 9.1 Business requirements of access control AC-1 3.1
22 9.1.1 Access control policy AC-1, AC-3, AC-5, AC-6, AC-7, AC-9, AC- 3.1.1; 3.1.2; 3.1.4; 3.1.5
9.2 User access management 17, AC-18, AC-19, CM-5, MP-1, SI-9
23 9.2.1 User registration and deregistration AC-1, AC-2, AC-6, AC-21, IA-5, PE-1, PE-2, 3.1.1; 3.1.2; 3.1.4; 3.1.5
9.2.2 User access provisioning SI-9
9.2.3 Management of privileged access rights
24 9.2.4 Management of secret authentication AC-6, IA-5
information of users
25 9.2.5 Review of user access rights AC-1, AC-2, AC-5, AC-6, AC-11, AC-17, AC- 3.1.1; 3.1.2; 3.1.4; 3.1.5
9.3 User responsibilities 18, AC-20, IA-2, IA-5m PE-2 PE-3, PE-5,
9.3.1 Use of secret authentication information PE-18, SC-10, MP-4
11.2.8 Unattended user equipment
11.2.9 Clear desk and clear screen policy
13. Communications security
9.1.2 Access to networks and network services

26 Deleted from ISO 27002:2013 AC-3, AC-6, AC-17, AC-18, SC-7

27 9.4 System and application access control AC-4, AC-17, AC-18
28 9.4.2 Secure log-on procedures AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, 3.1.8
SC-10
29 9.2.1 User registration and deregistration IA-2, IA-4, IA-5, IA-8
9.2.2 User access provisioning
30 9.1.1 Access control policy AC-5, AC-24 3.1.4; 3.1.5; 3.1.6; 3.1.7; 3.5.3
9.2 User access management
9.2.3 Management of privileged access rights
31 9.4.3 Password management system IA-2, IA-5 3.5.5
32 9.4.2 Secure log-on procedures AC-2, AC-3, AC-6, AC-11, AC-14, CM-5, 3.1.6; 3.1.7; 3.1.8; 3.4.5
9.4.4 Use of privileged utility programs SC-10
33 9.4.1 Information access restriction AC-19, SC-7; SP 800-39
6.2 Mobile devices and teleworking
34 6.2.1 Mobile device policy AC-1, AC-17, AC-18, AC-19, PL-4, PS-6 3.1.12; 3.1.16; 3.1.18
35 6.2 Mobile devices and teleworking AC-19, AC-24 3.1.18
6.2.1 Mobile device policy
6.2.2 Teleworking
Cryptography (ISO 10)
36 10. Cryptography SC-13 3.1.19
37 10. Cryptography SC-13 3.1.19
 38 10.1.1 Policy on the use of cryptographic controls Multiple controls address cryptography 3.13.10
(e.g., IA-7, SC-8, SC-9, SC-12, SC-13)
Physical and Environmental Security (ISO 11)
39 11.1.4 Protecting against external and environmental CP Family; PE-1, PE-2, PE-9, PE-10, PE-11, 3.10.1
threats PE-13,PE-15
40 11.1.5 Working in secure areas AT-2, AT-3 , PL-4, PS-6, PE-1, PE-2, PE-3, 3.10.2
11.1.6 Delivery and loading areas PE-4, PE-6, PE-8, PE-9, PE-11, PE-12, PE-
11.2 Equipment 14, PE-16, PE-18
41 11.2.4 Equipment maintenance MA Family, MP-5, PE-1, PE-3, PE-6 3.10.5
11.2.6 Security of equipment and assets off-premises
42 11.2.7 Secure disposal or re-use of equipment MP-6
43 11.2.5 Removal of assets MP-5 , MP-6, PE-16 3.8.3
12. Operations security
44 12.1.1 Document operating procedures CM-9, PE-19, PE-20 3.8.7
Operations Security (ISO 12)
45 12.1.2 Change management CM-1, CM-3, CM-4, CM-5, CM-9 3.4.1; 3.4.2
46 12.1.2 Change management AC-5 3.4.4
47 6.1.2 Segregation of duties CM-2
48 15.2.1 Monitoring and review of supplier services SA-9
49 12.1.3 Capacity management AU-4, AU-5, CP-2, SA-2, SC-5
50 12.2.1 Controls against malware AC-19, AT-2, PE-20, SA-8, SC-2, SC-3, SC- 3.13.13; 3.14.2
7,SC-14, SC-38, SI-3, SI-7
51 12.2.1 Controls against malware SI-8 3.14.2
52 12.3.1 Information backup CP-9
53 9.1.2 Access to networks and network services PE-2, PE-3, PE-6, PE-7, PE-8, PE-18
54 12.1.4 Separation of development, testing and SC-32
operational environments
13.1.3 Segregation in networks
55 13.1.1 Network controls AU-1, AU-2, AU-3, AU-4, AU-5, AU-6, AU-
7, AU-9, AU-11, AU-12, AU-14, SI-4
56 8.3.1 Management of removable media PE-16, SI-12, MP Family
8.3.2 Disposal of media
8.2.3 Handling of assets
13.2 Information transfer

57 14.1.2 Securing application services on public AU-10, IA-8, SC-3, SC-7, SC-8, SC-9, SC-3,
networks SC-14
14.1.3 Protecting application services transactions
58 12.4.1 Event logging AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU- 3.3
11, AU-12
 59 12.4.2 Protection of log information AU-1, AU-6, AU-7, AU-9, PE-6, PE-8, SC-7, 3.3.3; 3.3.5
SI-4
60 12.4.1 Event logging AU-12 3.3.1; 3.3.2
12.4.3 Administrator and operator logs
61 12.4.1 Event logging AU-8, AU-9, AU-11 3.3.8
12.4.2 Protection of log information
62 12.4.3 Administrator and operator logs AU-2, AU-12 3.3.1; 3.3.2
63 14.2.2 System change control procedures SA-13 3.14.3
12.4.1 Event logging
64 12.4.1 Event logging AU-2, AU-12, SI-2 3.3.1; 3.3.7
12.4.4 Clock synchronization
Communications Security (ISO 13)
65 13.2.4 Confidentiality or nondisclosure agreements PL-4, PS-6, SA-9
66 13.1 Network security management CP-9, CP-10
67 13.1.1 Network controls AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, 3.13.1
13.1.2 Security of network services PE-5,SC-7, SC-8, SC-9, SC-10, SC-19, SC-
20, SC-21, SC-22, SC-23
68 13.2.1 Information transfer policies and procedures Multiple controls; electronic messaging
13.2.2 Agreements on information transfer not addressed separately in SP 800-53.
13.2.3 Electronic messaging AC-1, AC-3, AC-4, AC-17, AC-18, AC-20,
CA-3, PL-4, PS-6, SC-7, SC-16, SI-9, CA-3,
SA-9, MP-5
69 13.1.1 Network controls AC-17, AC-18, AC-19, AC-20, CA-3, IA-2,
IA-3, IA-8
70 13.1.3 Segregation in networks AC-3, AC-6, AC-17, AC-18, PE-3, MA-3,
MA-4, SC-4
Systems Acquisition, Development, and Maintenance (ISO 14)
71 14. System acquisition, development and AC-1, AC-4, AC-17, AC-18, PE-17, PL-4,
72 maintenance
14.1 Security requirements of information systems PS-6
73 14.1.1 Information security requirements analysis and PL-7, PL-8, SA-1, SA-3, SA-4
specification
14.1.2 Securing application services on public
networks
74 Deleted from ISO 27002:2013 SI-10
75 Deleted from ISO 27002:2013 SI-7, SI-9, SI-10
76 Deleted from ISO 27002:2013 AU-10, SC-8, SC-23, SI-7
77 10.1.2 Key management SC-12, SC-17
12.5 Control of operational software
78 12.5.1 Installation of software on operational systems CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, 3.4.8; 3.4.9
12.6.2 Restrictions on software installation CM-10, CM-11, PL-4
 79 14.3.1 Protection of test data
80 9.4.5 Access control to program source code AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
81 12.2.1 Secure development policy SC-2, SC-3, SC-4, SC-5, SC-6, SC-7, SC-8,
SC-9, SC-10, SC-11, SC-12, SC-13, SC-14,
SC-17, SC-18, SC-20, SC-21, SC-22, SC-23
82 14.2.2 System change control procedures CM-1, CM-3, CM-4, CM-5, CM-9, SA-10, SI-2
14.2.3 Technical review of applications after operating
platform changes
14.2.4 Restrictions on changes to software packages

83 Deleted from ISO 27002:2013 AC-4, IR-9, PE-19

84 14.2.7 Outsourced development CM-10, CM-11, SA-1, SA-4, SA-8, SA-9,
SA-11, SA-12, SA-15, SA-17
Supplier Relationships (ISO 15)
85 Deleted from ISO 27002:2013 CA-3, PM-9, RA-3, SA-1, SA-9, SC-7
86 15.1.2 Addressing security within supplier agreements AU-16, CA-2, CA-3, PS-7, SA-9
87 15.2.1 Monitoring and review of supplier services RA-3, SA-9, SA-10
15.2.2 Managing changes to supplier services
88 15.1.1 Information security policy for supplier AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1,
relationships IA-7, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1,
15.1.2 Addressing security within supplier agreements PS-1, RA-1, RA-2, SA-1, SA-6, SC-1, SC-13,
SI-1
89 15.1.1 Information security policy for supplier AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1,
relationships IA-7, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1,
15.1.2 Addressing security within supplier agreements PS-1, RA-1, RA-2, SA-1, SA-6, SC-1, SC-13,
SI-1
90 15.1.1 Information security policy for supplier AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1,
relationships IA-7, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1,
15.1.2 Addressing security within supplier agreements PS-1, RA-1, RA-2, SA-1, SA-6, SC-1, SC-13,
SI-1
Information Security Incident Management (ISO 16)
91 16.1.4 Assessment of and decision on information RA-3, RA-5, SI-2, SI-5 3.6.1; 3.14.3
security events
92 16.1 Management of information security incidents AU-6, IR-1, IR-4, IR-6, SI-2, SI-4, SI-5 PL-4
and improvements
16.1.1 Responsibilities and procedures
16.1.2 Reporting information security events
16.1.3 Reporting information security weaknesses
16.1.6 Learning from information security incidents

Information Security Aspects of Business Continuity Management (ISO 17)

93 17. Information security aspects of business continuity AU-7, AU-9, IR-4
management
Compliance (ISO 18)
94 18.1 Compliance with legal and contractual CP-1, CP-2, CP-4, PM-9, RA Family
requirements
95 18.1.3 Protection of records AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-
96 18.1.4 Privacy and protection of personally 12
Appendix J; SI-12
identifiable information
97 Deleted from ISO 27002:2013 AC-8, AU-6, CM-11, PL-4, PS-6, PS-8
98 18.1.5 Regulation of cryptographic controls IA-7, SC-13
99 18.2.2 Compliance with security policies and AC-2, CA-2, CA-7, IA-7, PE-8, SI-12
100 standards
18.2.3 Technical compliance review CA-2, CA-7, RA-5
101 12.7.1 Information systems audit controls AU-1, AU-2, AU-9 3.3.1; 3.3.2
NIST Cybersecurity Framework CIS 20 Critical Security Controls (ver 6.1)

ID.RM-1
ID.RM-1
ID.RM-1, ID.GV-4

ID.GV-1
ID.GV-1
ID.GV-1

ID.AM-6; ID.GV-2

ID.AM-6
DE.DP-4, RS.CO-3, RS.CO-5

RS.CO-5

PR.AT-1 CSC 17

PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5 CSC 17

PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-6
PR.AC-4, PR.DS-3 CSC 16

PR.AC-4, PR.DS-3 CSC 16

ID.AM-1, ID.AM-2 CSC 1 (devices), CSC 2 (software), CSC13

ID.AM-5 (data)
CSC 13
PR.AC-1, PR.AC-4
PR.AC-1, PR.AC-4 CSC 5, CSC 16

PR.AC-1, PR.AC-4 CSC 5

PR.AC-4 CSC 5

PR.AC-3 CSC 3

PR.DS-5
PR.DS-6 CSC 5, CSC 16
CSC 16

PR.AC-1, PR.AC-4 CSC 5

CSC 5

CSC 16
CSC 13

CSC 14
PR.AC-3

PR.DS-2 CSC 14
PR.DS-1, PR.DS-2, CSC 14
PR.DS-6

PR.PT-3, PR.AC-2

PR.IP-5, PR.DS-4

PR.IP-5, PR.PT-3

PR.MA-1
PR.IP-6

PR.DS-3, PR.DS-5

PR.IP-1 CSC 3
PR.IP-2, PR.IP-3
PR.AC-4
PR.DS-8
DE.AE-1, PR.DS-4
DE.CM-4, RS.MI-1, RS.MI-2 CSC 4, CSC 8

DE.CM-4, RS.MI-1, RS.MI-2 CSC 7, CSC 8

PR.IP-4 CSC 10
CSC 11
PR.AC-5 CSC 9, CSC 12, CSC 14

CSC 11

PR.PT-2, PR.IP-6 CSC 13

PR.PT-1 CSC 4, CSC 6

PR.PT-1 CSC 4, CSC 6

PR.PT-1 CSC 4, CSC 6

PR.PT-1 CSC 4, CSC 6

PR.PT-1 CSC 4, CSC 6

PR.DS-7 CSC 3

CSC 6

PR.IP-11
PR.IP-4 CSC 10
DE.CM-1 CSC 15

PR.DS-1, PR.DS-2, PR.DS-5, PR.IP-6 CSC 14

CSC 12

DE.CM-7 CSC 15

ID.AM-4 CSC 3
CSC 3
PR.IP-12 CSC 18

PR.DS-7

CSC 18

PR.DS-8
 CSC 18
PR.IP-3
PR.IP-3

PR.DS-5

ID.AM-6
PR.IP-12 CSC 4

ID.AM-4

ID.AM-4

ID.AM-4

ID.AM-4

ID.AM-4

RS.RP-1, RS.CO-1, RS.CO-2, RS.CO-3, CSC 19

RS.CO-4
ID.GV-3, RS.AN-3 CSC 19

PR.IP-9 CSC 10
ID.GV-2

ID.GV-3

PR.IP-12, DE.CM-8
PR.IP-7
Description Value
Not Performed 0
Performed Informally 1
Planned 2
Well Defined 3
Quantitatively Controlled 4
Continuously Improving 5
Not Applicable