Académique Documents
Professionnel Documents
Culture Documents
Group of companies:
Company:
Location:
Address:
Homepage:
Scope:
Contact person:
Telephone number:
E-Mail address:
Creater:
Telephone number:
E-Mail address:
Managing Director:
Signature:
420173023.xlsx /
Printed on: 05/11/2019 Page 1 of 8
Cover
Information Security Assessment
Results
Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity levels: 0.00 Maximum Score: 3.00
1 ISMS
18 Compliance 5 5 Information Security Policies
4
17 Information Security Aspects of Business Continuity Management 6 Organization of Information Security
3
2
16 Information Security Incident Management 1 7 Human Resources Security
420173023.xlsx /
Printed on: 05/11/2019 Page 2 of 8
Results
Information Security Assessment
Results
Details:
420173023.xlsx /
Printed on: 05/11/2019 Page 3 of 8
Results
Information Security Assessment - Fragen
Maturity Level
In case a question does not apply, please insert na (not applicable).
0-5; na
1 General Aspects
1.1 To what extent is an ISMS approved by the Top Management and is the scope documented?
(Reference to ISO 27001: 4 and 5.1)
1.2 To what extent is an Information Security risk management as well as risk treatment defined, documented and implemented?
5.1 To what extent are information security guidelines created, published (internally and to external partners), communicated and
are they checked in regular time intervals?
6.2 To what extent are information security requirements taken into account in project work (irrespective of project type)?
6.3 To what extent is a policy in place regarding the use of mobile devices and remote access to company data?
7.2 To what extent is staff (internal and external) made aware of and trained about the risks that arise when handling and
processing information?
(Reference to ISO 27002: Control 7.2.1 and 7.2.2)
8 Asset Management
8.1 To what extent are physical and digital assets that contain information (information objects) recorded in a directory?
8.2 To what extent is information classified regarding the corresponding protection level?
(Reference to ISO 27002: Control 8.2.1, 8.2.2, and 8.2.3)
8.3 To what extent are appropriate procedures implemented for the management of information on mobile storage devices?
9 Access Control
9.1 To what extent are policies and procedures existent regarding access to networks and network services?
9.2 To what extent are procedures for a formal user registration, change and de-registration implemented to enable assignment of
access rights and is the allocation of secret authentication information controlled?
9.3 To what extent is the allocation and use of privileged access rights restricted and controlled?
(Reference to ISO 27002: Control 9.2.3)
420173023.xlsx /
Printed on: 05/11/2019 Page 4 of 8
Questions
9.4 To what extent have binding policies been defined concerning creation and handling of secret authentication information?
9.5 To what extent is access to information and applications restricted to authorized personnel?
(Reference to ISO 27002: Control 9.4.1 and 9.4.2)
10 Cryptography
10.1 To what extent are rules on the use of cryptography including the management of cryptographic keys (entire lifecycle process)
developed and implemented?
(Reference to ISO 27002: Control 10.1.1)
11.2 To what extent has the company established measures to protect itself against the effects of natural disasters, malicious
attacks and accidents?
(Reference to ISO 27002: Control 11.1.4)
11.3 To what extent are protective measures established to protect delivery and loading areas from being accessed by
unauthorized persons?
(Reference to ISO 27002: Control 11.1.6)
11.4 To what extent are policies and procedures defined and implemented regarding the use of company equipment, including off-
site use, disposal and re-use?
(Reference to ISO 27002: Control 11.2.5, 11.2.06, and 11.2.7)
12 Operations Security
12.1 To what extent are changes to the organization, business processes, information processing facilities and systems in
accordance with their relevance to Information Security implemented?
(Reference to ISO 27002: Control 12.1.2)
12.2 To what extent are development and testing environments kept separate from productive environments?
12.3 To what extent are protection controls (e.g. endpoint security) against malware (Viruses, Worms, Trojans, Spyware, ...)
implemented and combined with appropriate user awareness?
(Reference to ISO 27002: Control 12.2.1)
12.4 To what extent are backups created and tested regularly in accordance with an agreed backup policy?
(Reference to ISO 27002: Control 12.3.1)
12.5 To what extent are event-logs (containing e.g. user activities, exceptions, errors and security events) created, stored, reviewed
and protected against modification?
(Reference to ISO 27002: Control 12.4.1, and 12.4.2)
12.6 To what extent are system administrator and system operator activities logged, the logs protected against modification and
regularly reviewed?
(Reference to ISO 27002: Control 12.4.3)
12.7 To what extent is information regarding technical vulnerabilities of information processing systems acquired at an early stage,
assessed and appropriate measures are taken (e.g. patch management)?
(Reference to ISO 27002: Control 12.6.1, and 12.6.2)
12.8 To what extent are audit requirements and activities that are used to check information processing systems planned and
coordinated?
(Reference to ISO 27002: Control 12.7.1)
13 Communications Security
13.1 To what extent are networks managed and controlled to protect information in systems and applications?
13.2 To what extent are requirements related to security mechanisms and service levels and also management requirements related
to network services identified and documented in service level agreements?
13.3 To what extent are groups of information services, users and information systems segregated on networks?
13.4 To what extent are protective measures taken when information is exchanged or transmitted?
(Reference to ISO 27002: Control 13.2.1, and 13.2.3)
13.5 To what extent are non-disclosure agreements applied before an exchange of information and are the requirements or needs
for the protection of information documented and regularly reviewed?
(Reference to ISO 27002: Control 13.2.4)
420173023.xlsx /
Printed on: 05/11/2019 Page 5 of 8
Questions
14 System acquisition, development and maintenance
14.1 To what extent are security-relevant requirements taken into account for new information systems (incl. systems that are
accessible from the public) and for extensions to existing systems?
(Reference to ISO 27002: Control 14.1.1, 14.1.2, and 14.1.3))
14.2 To what extent are security-relevant aspects taken into account within the software development process (incl. change
management)?
(Reference to ISO 27002: Control 14.2.1 - 14.2.9)
14.3 To what extent are test data created, protected and used in a careful and controlled manner?
(Reference to ISO 27002: Control 14.3.1)
15 Supplier Relationships
15.1 To what extent are information security requirements agreed with suppliers to mitigate risks contractually when suppliers
have access to corporate assets (particularly information and communication services and in case such assets are used by
sub-contractors)?
(Reference to ISO 27002: Control 15.1.1 - 15.1.3)
15.2 To what extent are the services performed by suppliers/sub-contractors monitored, reviewed and audited on a regular basis?
18 Compliance
18.1 To what extent are relevant lagal (country-specific), statutory, regulatory and contractual requirements ensured (e.g. protection
of intellectual property rights, use of encryption technology and protection of records)?
18.2 To what extent is confidentiality and the protection of personal data ensured (taking into account national legislation)?
18.3 To what extent is the ISMS reviewed independently on a regular basis or in the course of significant changes?
18.4 To what extent is the effectiveness of policies, guidelines and other relevant information security standards reviewed and
documented (relevant procedures and processes, incl. technical tests)?
(Reference to ISO 27002: Control 18.2.2, 18.2.3)
420173023.xlsx /
Printed on: 05/11/2019 Page 6 of 8
Questions
Author:
Study group Information Security of the
German Association of the Automotive Industry
License:
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
420173023.xlsx /
Printed on: 05/11/2019 Page 7 of 8
License
1.0 First Release (Initial build)
2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
Control 13.5 revised
All other controls with version 2.1.3 translation revised
420173023.xlsx /
Printed on: 05/11/2019 Page 8 of 8
Change History