Professional Documents
Culture Documents
(PDF) - Cybersecurity Questionnaire
(PDF) - Cybersecurity Questionnaire
Cybersecurity Questionnaire
People
Yes/No
Yes/No
Yes/No
Yes/No
Yes/No
Yes/No
2.2.1 Does your organization have physical access controls in place for
secure areas, such as server rooms or data centers?
Yes/No
2.2.2 Does your organization have controls in place to monitor and log
access to secure areas?
Yes/No
2.3.1 Does your organization have a process in place for granting and
revoking user access to resources?
Yes/No
2.3.2 Is access to resources reviewed and updated regularly?
Yes/No
Yes/No
Yes/No
Yes/No
Yes/No
Yes/No
Yes/No
2.8 Zoning
Yes/No
Yes/No
Technology
Yes/No
Yes/No
• How are mobile devices managed and secured both when used
within the organization and outside of it?
• How is confidential information stored on mobile devices protected?
• How are servers and data centers monitored for security threats?
• How often are updates and patches applied, and how is this
schedule determined?
5.1.3 Are there any tools or technologies in place for network activity
monitoring (e.g. intrusion detection/prevention systems, network
behavioral analysis)? Yes/No
5.1.4 How often are the logs from these tools reviewed and by whom?
Action item: Regularly review network activity logs and have a process
for responding to security incidents.
5.2.3 How often are the logs from these tools reviewed and by whom?
5.3.4 How often are the logs from these tools reviewed and by whom?
Action item: Regularly review access logs and have a process for
responding to security incidents.
5.4.1 Do you monitor user accounts for suspicious activity (e.g. login
attempts from unfamiliar locations)? Yes/No
5.4.3 How often are the logs from these tools reviewed and by whom?
Action item: Regularly review user account logs and have a process for
responding to security incidents.
5.5.2 Are the logs from all sources regularly reviewed for potential
security incidents? Yes/No
5.5.3 Do you have processes in place for preserving and securing log
data for compliance and incident response purposes? Yes/No
6.1.1 Do you have an off-site backup solution in place for your critical
data and systems? Yes/No
6.1.2 Do you backup your data and systems on a regular basis (e.g.
daily, weekly, monthly)? Yes/No
6.1.3 How often do you verify the integrity and completeness of your
backups? (multiple checkboxes like: weekly, monthly, quarterly,
annually or never)
Action item: Regularly backup critical data and systems, secure backups
and regularly test restore procedures.
6.2.1 Do you have a disaster recovery plan in place for your critical
systems and data? Yes/No
6.2.2 Have you tested your disaster recovery plan in a recent disaster
recovery drill? Yes/No
Action item: Develop and regularly test a disaster recovery plan for
critical systems and data.
6.3.4 How do you regularly train and educate your incident response
team? (multiple checkboxes like: internal training sessions, simulated
incidents, etc.)
6.4.1 How often do you review and update your disaster recovery and
incident response plans? (multiple checkboxes like: annually,
bi-annually, quarterly, etc.)
6.4.2 How do you test your disaster recovery and incident response
plans? (multiple checkboxes like: simulated incidents, tabletop
exercises, etc.)
Action item: Regularly review and test disaster recovery and incident
response plans to ensure they are up-to-date and effective.
6.5.3 How do you regularly educate and train your employees on the
dangers of ransomware and best practices for avoiding it?
7.1.3.1 How does your governance structure ensure that security risks
are effectively managed? (provide a brief description)
7.2.2.1 Can you describe the procedures for evaluating and mitigating
security risks? (provide a brief description)
7.3.2 Are all employees required to read and sign off on the security
policies and procedures? Yes/No
7.4 ISMS/Certifications
8.1.2.1 How often do you assess the security practices of suppliers and
third-party vendors? (checkboxes: yearly, bi-annual, quarterly,
monthly)
8.2 KPIs
8.2.2 Can you describe the KPIs used to monitor the performance of
suppliers and third-party vendors with regards to information
security? (provide a brief description)
8.3.2 Can you describe the procedures for managing the security of
information processed by suppliers and third-party vendors? (provide
a brief description)
8.4.2 Can you describe the procedures for managing the security of
client information? (provide a brief description)
9.1.2 What are the critical business functions that require protection
during a disaster?
9.2.1 What is the scope of the business continuity plan and how is it
reviewed and updated regularly?
9.2.2 What strategies have been put in place to ensure the recovery of
critical business functions during a disaster?
9.3.1 What testing strategies are used to evaluate the readiness of the
business continuity plan and incident response plan?
9.3.2 How frequently are these strategies tested and what is the
expected outcome?
9.3.3 How are results from the testing strategies analyzed and used to
improve the plan?
9.3.4 How is the level of preparedness for a disaster evaluated, and
what steps are taken to improve it if necessary?
• What policies and procedures are in place to ensure privacy and data
protection?
• What steps have been taken to train employees on privacy and data
protection practices?
10.2 Encryption
• What steps have been taken to ensure the privacy and security of
data stored in the cloud?
• How do you ensure that your security practices are in line with the
requirements of these frameworks and regulations?