DISCLAIMER: For the questions where there is no number before the question, it means that the

question is an action item and not a threat.

Cybersecurity Questionnaire

People

1. Education and Awareness

1.1 User Awareness and Training

1.1.1 Does your organization have a user awareness program in place

to educate employees on cyber threats and safe practices?

Yes/No

1.1.2 How often do you conduct user awareness training sessions?

(Quarterly, bi-annually, annually, other)

1.1.3 Do you provide training on specific topics such as password

security, email security, and safe browsing habits?

Yes/No

1.1.4 Do you have a process in place to assess the effectiveness of

your user awareness program?

Yes/No

Threats: Phishing attacks, social engineering attacks, human error

Action item: Regular user awareness training and assessment of

effectiveness.
2. Access Management & Physical security

2.1 IAM (Identity and Access Management)

2.1.1 Does your organization have a centralized system for managing

user identities and access to resources?

Yes/No

2.1.2 Are users granted access based on the principle of least

privilege?

Yes/No

2.1.3 Are user access privileges reviewed and updated regularly?

Yes/No

2.2 Access control

2.2.1 Does your organization have physical access controls in place for
secure areas, such as server rooms or data centers?

Yes/No

2.2.2 Does your organization have controls in place to monitor and log
access to secure areas?

Yes/No

2.3 Authorization Management

2.3.1 Does your organization have a process in place for granting and
revoking user access to resources?

Yes/No
2.3.2 Is access to resources reviewed and updated regularly?

Yes/No

2.4 Password Management

2.4.1 Does your organization have a password policy in place that

requires strong passwords and regular updates?

Yes/No

2.4.2 Does your organization prevent the use of common and

known-breached passwords?

Yes/No

2.5 Multi-factor Authentication

2.5.1 Does your organization require multi-factor authentication for

sensitive resources such as email and financial systems?

Yes/No

2.6 Admin/elevated access

2.6.1 Does your organization have a separate account for

administrative access with limited privileges and two-factor
authentication?

Yes/No

2.6.2 Are administrative access sessions monitored and logged for

auditing purposes?

Yes/No

2.7 Physical Access Management

2.7.1 Does your organization have policies in place for controlling
physical access to sensitive areas, such as server rooms or data
centers?

Yes/No

2.8 Zoning

2.8.1 Does your organization have physical zoning controls in place to

separate sensitive areas from public areas?

Yes/No

2.9 Clean Desk

2.9.1 Does your organization have policies in place for maintaining a

clean desk policy to reduce the risk of confidential information being
accessible to unauthorized persons?

Yes/No

Threats: Unauthorized access, data breaches, insider threats

Action item: Implement robust identity and access management

controls, physical security controls, and regularly review and update
access privileges.

Technology

3. Cloud & Network security

3.1 Remote Work

3.1.1 Does your organization have policies and technologies in place to

secure remote access to the network and sensitive data?
Yes/No

3.1.2 Are remote devices managed and secured by your organization?

Yes/No

3.2 Network Environment (infrastructure)

3.2.1 Does your organization have firewalls in place to protect the

network perimeter?

Yes/No

4. Asset Protection & Configuration

4.1 Asset Management

• What is the process for tracking and managing the organization's IT

assets?

• How often is the inventory of IT assets updated?

• How is the confidential information stored in the IT assets

protected?

4.2 Vulnerability Management

• What is the process for identifying vulnerabilities in the

organization's systems and applications?

• How are vulnerabilities prioritized and remediated?

• Is there a regular schedule for conducting vulnerability scans and

assessments?

4.3 Systems & Application Security

• What measures are in place to protect the organization's systems
and applications from external threats?

• How are systems and applications tested for security vulnerabilities

before being deployed?

• What is the process for responding to security incidents involving

systems and applications?

4.4 Email & DNS Security

• What measures are in place to protect against phishing and other

email-based attacks?

• How is the organization's email infrastructure secured against

unauthorized access and tampering?

• How does the organization protect against DNS-based attacks?

4.5 Endpoint Protection

• What measures are in place to protect the organization's endpoint

devices (such as laptops, desktops, and mobile devices)?

• How are endpoint devices monitored for security threats?

• What is the process for responding to security incidents involving

endpoint devices?

4.6 Mobile Device Management

• What measures are in place to secure and manage the organization's

mobile devices?

• How are mobile devices managed and secured both when used
within the organization and outside of it?
• How is confidential information stored on mobile devices protected?

4.7 Servers & Datacenter

• What measures are in place to secure the organization's servers and

data centers?

• How are servers and data centers monitored for security threats?

• What is the process for responding to security incidents involving

servers and data centers?

4.8 Hardening (Secure Configuration)

• What steps are taken to secure the configuration of the

organization's systems and applications?

• How is the security of systems and applications regularly reviewed

and tested?

• How is the security of systems and applications maintained over

time, as updates and patches are applied?

4.9 Patch Management

• What is the process for applying software updates and patches to

the organization's systems and applications?

• How often are updates and patches applied, and how is this
schedule determined?

• What measures are in place to ensure that updates and patches do

not disrupt the operation of the organization's systems and
applications?

4.10 Malware Security

• What measures are in place to detect and prevent malware
infections?

• How is malware detected, and how are infected systems and

applications remediated?

• What is the process for responding to security incidents involving

malware?

5. Security Monitoring & Threat Intelligence

5.1 Network activity monitoring

5.1.1 Do you monitor network activity for suspicious traffic or

behavior? Yes/No

5.1.2 Do you have a process for investigating and responding to

network security incidents? Yes/No

5.1.3 Are there any tools or technologies in place for network activity
monitoring (e.g. intrusion detection/prevention systems, network
behavioral analysis)? Yes/No

5.1.4 How often are the logs from these tools reviewed and by whom?

Threat: Network attacks, unauthorized access to sensitive information

Action item: Regularly review network activity logs and have a process
for responding to security incidents.

5.2 Security monitoring

5.2.1 Do you have processes in place for monitoring and detecting

security threats (e.g. malware, phishing attacks)? Yes/No
5.2.2 Are there any tools or technologies in place for security
monitoring (e.g. security information and event management (SIEM)
systems, anti-malware solutions)? Yes/No

5.2.3 How often are the logs from these tools reviewed and by whom?

Threat: Malware infections, phishing attacks

Action item: Regularly review security monitoring logs and have a

process for responding to security incidents.

5.3 Access monitoring

5.3.1 Do you monitor access to sensitive information (e.g. confidential

data, system logs)? Yes/No

5.3.2 Do you have processes in place for detecting and responding to

unauthorized access to sensitive information? Yes/No

5.3.3 Are there any tools or technologies in place for access

monitoring (e.g. log management, data loss prevention (DLP)
systems)? Yes/No

5.3.4 How often are the logs from these tools reviewed and by whom?

Threat: Data breaches, unauthorized access to sensitive information

Action item: Regularly review access logs and have a process for
responding to security incidents.

5.4 Account monitoring

5.4.1 Do you monitor user accounts for suspicious activity (e.g. login
attempts from unfamiliar locations)? Yes/No

5.4.2 Are there any tools or technologies in place for account

monitoring (e.g. user behavior analytics)? Yes/No

5.4.3 How often are the logs from these tools reviewed and by whom?

Threat: Account compromise, unauthorized access to sensitive

information

Action item: Regularly review user account logs and have a process for
responding to security incidents.

5.5 Log management

5.5.1 Do you have a centralized log management system for storing

and analyzing logs from various sources (e.g. network activity, security
monitoring, access monitoring)? Yes/No

5.5.2 Are the logs from all sources regularly reviewed for potential
security incidents? Yes/No

5.5.3 Do you have processes in place for preserving and securing log
data for compliance and incident response purposes? Yes/No

Threat: Lack of visibility into security incidents, inability to respond to

security incidents

Action item: Implement a centralized log management system and

regularly review logs for potential security incidents.

6. Back-up & recovery

6.1 Back-ups

6.1.1 Do you have an off-site backup solution in place for your critical
data and systems? Yes/No

6.1.2 Do you backup your data and systems on a regular basis (e.g.
daily, weekly, monthly)? Yes/No

6.1.3 How often do you verify the integrity and completeness of your
backups? (multiple checkboxes like: weekly, monthly, quarterly,
annually or never)

6.1.4 How do you secure your backups? (multiple checkboxes like:

encryption, separate physical location, access control, etc.)

6.1.5 Have you tested restoring your backups in a recent disaster

recovery drill? Yes/No

Threats: Data loss, data theft, ransomware attacks.

Action item: Regularly backup critical data and systems, secure backups
and regularly test restore procedures.

6.2 Disaster Recovery

6.2.1 Do you have a disaster recovery plan in place for your critical
systems and data? Yes/No

6.2.2 Have you tested your disaster recovery plan in a recent disaster
recovery drill? Yes/No

6.2.3 Who is responsible for executing the disaster recovery plan in

case of an incident?
6.2.4 How do you communicate the disaster recovery plan to all
relevant parties?

Threats: Data loss, system downtime, business interruption.

Action item: Develop and regularly test a disaster recovery plan for
critical systems and data.

6.3 Incident Management

6.3.1 Do you have an incident response plan in place? Yes/No

6.3.2 Who is responsible for executing the incident response plan in

case of an incident?

6.3.3 How do you communicate the incident response plan to all

relevant parties?

6.3.4 How do you regularly train and educate your incident response
team? (multiple checkboxes like: internal training sessions, simulated
incidents, etc.)

Threats: Data breaches, data loss, system downtime, business

interruption.

Action item: Develop and regularly update an incident response plan

and train the incident response team.

6.4 Planning & Testing

6.4.1 How often do you review and update your disaster recovery and
incident response plans? (multiple checkboxes like: annually,
bi-annually, quarterly, etc.)

6.4.2 How do you test your disaster recovery and incident response
plans? (multiple checkboxes like: simulated incidents, tabletop
exercises, etc.)

Threats: Inadequate disaster recovery and incident response plans.

Action item: Regularly review and test disaster recovery and incident
response plans to ensure they are up-to-date and effective.

6.5 Ransomware Threat

6.5.1 Do you have a plan in place to prevent or respond to a

ransomware attack? Yes/No

6.5.2 Have you tested your plan to prevent or respond to a

ransomware attack in a recent disaster recovery drill? Yes/No

6.5.3 How do you regularly educate and train your employees on the
dangers of ransomware and best practices for avoiding it?

Threats: Ransomware attacks, data loss, system downtime, business

interruption.

Action item: Develop and regularly update a plan to prevent and

respond to ransomware attacks and educate employees on best
practices for avoiding them.

7. Security Management (GRC + BCM)

7.1 Security Governance

7.1.2 Do you have a designated person responsible for ensuring

compliance with the security policies and procedures? Yes/No

7.1.2.1 Who is the designated person responsible for ensuring

compliance with the security policies and procedures? (fill in the
name)

7.1.3 Have you established a governance structure for managing

information security risks? Yes/No

7.1.3.1 How does your governance structure ensure that security risks
are effectively managed? (provide a brief description)

7.2 Risk Management

7.2.1 Do you conduct regular risk assessments to identify and evaluate

security risks? Yes/No

7.2.1.1 How often do you conduct risk assessments? (checkboxes:

yearly, bi-annual, quarterly, monthly)

7.2.2 Have you established procedures for evaluating and mitigating

security risks? Yes/No

7.2.2.1 Can you describe the procedures for evaluating and mitigating
security risks? (provide a brief description)

7.3 Policies and procedures

7.3.1 Do you have written policies and procedures that address

information security? Yes/No

7.3.1.1 Are the policies and procedures reviewed and updated

regularly? Yes/No
7.3.1.1.1 How often are the policies and procedures reviewed and
updated? (checkboxes: yearly, bi-annual, quarterly, monthly)

7.3.2 Are all employees required to read and sign off on the security
policies and procedures? Yes/No

7.4 ISMS/Certifications

7.4.1 Are you ISO 27001 certified? Yes/No

7.4.2 Have you implemented an Information Security Management

System (ISMS)? Yes/No

7.4.2.1 Which ISMS framework have you implemented? (provide the

name of the framework)

8. Suppliers & third parties

8.1 Contract management

8.1.1 Do you include information security clauses in contracts with

suppliers and third-party vendors? Yes/No

8.1.2 Do you regularly assess the security practices of suppliers and

third-party vendors? Yes/No

8.1.2.1 How often do you assess the security practices of suppliers and
third-party vendors? (checkboxes: yearly, bi-annual, quarterly,
monthly)

8.2 KPIs

8.2.1 Do you have Key Performance Indicators (KPIs) in place to

monitor the performance of suppliers and third-party vendors with
regards to information security? Yes/No

8.2.2 Can you describe the KPIs used to monitor the performance of
suppliers and third-party vendors with regards to information
security? (provide a brief description)

8.3 Supplier management

8.3.1 Have you established procedures for managing the security of

information processed by suppliers and third-party vendors? Yes/No

8.3.2 Can you describe the procedures for managing the security of
information processed by suppliers and third-party vendors? (provide
a brief description)

8.4 Client management

8.4.1 Do you have procedures in place for managing the security of

client information? Yes/No

8.4.2 Can you describe the procedures for managing the security of
client information? (provide a brief description)

9. Business Continuity & Incident Management

9.1 Business Impact Assessment

9.1.1 What measures have been taken to assess the impact of

potential business disruptions?

9.1.2 What are the critical business functions that require protection
during a disaster?

9.1.3 How is the priority of the restoration of these critical business

functions determined?

9.1.4 How is the impact of a potential data loss calculated and

prioritized?

9.1.5 What methodologies have been used to determine the

maximum tolerable downtime for each critical business function?

9.2 Business Continuity Plan

9.2.1 What is the scope of the business continuity plan and how is it
reviewed and updated regularly?

9.2.2 What strategies have been put in place to ensure the recovery of
critical business functions during a disaster?

9.2.3 How is the business continuity plan tested and validated to

ensure its effectiveness?

9.2.4 How are employees, contractors and third-party providers

trained to respond to a disaster?

9.2.5 What methods have been put in place to communicate with

employees, contractors, and customers during a disaster?

9.3 Planning & Testing

9.3.1 What testing strategies are used to evaluate the readiness of the
business continuity plan and incident response plan?

9.3.2 How frequently are these strategies tested and what is the
expected outcome?

9.3.3 How are results from the testing strategies analyzed and used to
improve the plan?
9.3.4 How is the level of preparedness for a disaster evaluated, and
what steps are taken to improve it if necessary?

9.3.5 How is the effectiveness of the incident response plan evaluated

and what steps are taken to improve it if necessary?

10. Compliance (GDPR + Security assessments)

10.1 Privacy Management

• What policies and procedures are in place to ensure privacy and data
protection?

• How do you monitor and ensure compliance with privacy regulations

such as GDPR?

• What steps have been taken to train employees on privacy and data
protection practices?

• How do you handle and report data breaches or privacy incidents?

10.2 Encryption

• How do you ensure that sensitive data is encrypted in transit and at

rest?

• What encryption technologies and methods do you use?

• How do you manage encryption keys and ensure their security?

• What measures are in place to prevent unauthorized access to

encrypted data?

10.3 Data Classification

• How do you classify sensitive data and determine appropriate levels

of protection?

• How is access to sensitive data controlled and monitored?

• How is the accuracy and completeness of data classifications

ensured over time?

10.4 Secure File Transfer

• How do you securely transfer sensitive data between systems

and/or third-party entities?

• What methods and technologies do you use to secure file transfers?

• How do you ensure that sensitive data is protected during transit?

• How do you manage and monitor file transfer activities to detect

and prevent unauthorized access?

10.5 Cloud assessments

• How do you assess the security of cloud services prior to adoption?

• How do you monitor the security of cloud services to ensure ongoing

compliance with security standards?

• What steps have been taken to ensure the privacy and security of
data stored in the cloud?

• How do you handle and report security incidents related to cloud

services?

10.6 Penetration Testing & security testing

• How do you conduct regular penetration testing to identify

vulnerabilities in your systems and infrastructure?

• How do you prioritize and address identified vulnerabilities?

• What methods do you use to test the security of your applications
and systems?

• How do you ensure that security testing is thorough and

comprehensive?

10.7 Self-assessments, Audits/Certifications

• How often do you conduct self-assessments to evaluate your

security posture and identify areas for improvement?

• How do you prioritize and address findings from self-assessments?

• Have you undergone any security-related audits or certifications? If

so, which ones and when were they performed?

• How do you ensure that security assessments, audits, and

certifications are performed regularly and effectively?

10.8 Compliance frameworks

• Which compliance frameworks and regulations do you adhere to?

• How do you ensure that your security practices are in line with the
requirements of these frameworks and regulations?

• How do you monitor and report on compliance with these

frameworks and regulations?