Information Security Assessment

Group of companies:

Company:

Location:
Address:

Homepage:

Short description of the group

company:

Scope:

D&B D-U-N-S® Nr.

Date of the assessment:

Contact person:
Telephone number:
E-Mail address:

Creater:
Telephone number:
E-Mail address:

Managing Director:

Signature:

Version: 2.1.3 / 2015-05-22

420173023.xlsx /
Printed on: 05/11/2019 Page 1 of 8
Cover
 Information Security Assessment
Results

Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity levels: 0.00 Maximum Score: 3.00

Result without cutback to target

maturity levels:
0.00

Results per chapter (without cutback):

1 ISMS
18 Compliance 5 5 Information Security Policies

4
17 Information Security Aspects of Business Continuity Management 6 Organization of Information Security
3

2
16 Information Security Incident Management 1 7 Human Resources Security

15 Supplier Relationships 8 Asset Management

14 System acquisition, development and maintenance 9 Access Control

13 Communications Security 10 Cryptography

12 11
Operations
Physical and
Security
Environmental Security
Target maturity level Results

420173023.xlsx /
Printed on: 05/11/2019 Page 2 of 8
Results
 Information Security Assessment
Results
Details:

Question Target maturity

No. Topics level Results
1.1 Release of an Information Security Management System (ISMS) 3 0
1.2 IS Risk Management 3 0
1.3 Effectiveness of the ISMS 3 0
5.1 Information Security Policy 3 0
6.1 Assigning responsibility for information security 3 0
6.2 Information Security in projects 3 0
6.3 Mobile devices 3 0
7.1 Contractual commitment to information security of employees 3 0
7.2 Awareness and training of employees 4 0
8.1 Inventory of assets 3 0
8.2 Classification of information 2 0
8.3 Handling of information (especially mobile storage) 3 0
9.1 Access to networks and network services 3 0
9.2 User registration 4 0
9.3 Privileged user accounts 3 0
9.4 Confidentiality of authentication data 3 0
9.5 Access to information and applications 3 0
10.1 Cryptography 2 0
11.1 Security zones 3 0
11.2 Protection against external influences and external threats 3 0
11.3 Protection measures in the delivery and shipping area 2 0
11.4 Use of equipment 2 0
12.1 Change Management 4 0
12.2 Separation of development, test and operational environment 2 0
12.3 Protection from malware 4 0
12.4 Back-up procedures 3 0
12.5 Event Logging 3 0
12.6 Logging administrational activities 2 0
12.7 Prosecution of vulnerability (patch management) 4 0
12.8 Review of information systems 2 0
13.1 Management of networks 3 0
13.2 Security requirements for networks / services 3 0
13.3 Separation of networks (network segmentation) 3 0
13.4 Electronic exchange of information 3 0
13.5 Confidentiality agreements with third parties 3 0
14.1 Requirements for the procurement of information systems 3 0
14.2 Security along the software development process 3 0
14.3 Management of test data 2 0
15.1 Risk Management in collaboration with suppliers 3 0
15.2 Services check of supplier performance 3 0
16.1 Reporting system for information security incidents (Incident Management) 4 0
16.2 Processing of information security incidents 4 0
17.1 Information Security Aspects of Business Continuity Management 3 0
18.1 Legal and contractual provisions 3 0
18.2 Protection of personal data 4 0
18.3 Audit of the ISMS by independent bodies 3 0
18.4 Efficiency tests, including technical tests 3 0
Method: comparison of the top 47 security topics 3.00 0.00
based on ISO 27002 controls
evaluated with SPICE ISO 15504

420173023.xlsx /
Printed on: 05/11/2019 Page 3 of 8
Results
 Information Security Assessment - Fragen

based on ISO 27002:2013

Company: 0
Location: 0
Date: 12/30/1899

Maturity Level
In case a question does not apply, please insert na (not applicable).
0-5; na

1 General Aspects
1.1 To what extent is an ISMS approved by the Top Management and is the scope documented?
(Reference to ISO 27001: 4 and 5.1)

1.2 To what extent is an Information Security risk management as well as risk treatment defined, documented and implemented?

(Reference to ISO 27001: 8.2 and 6.1.2)

1.3 To what extent is the effectiveness of the ISMS ensured?

(Reference to ISO 27001: 8.1, 9.1, 10.1, and 10.2)

5 Information Security Policies

5.1 To what extent are information security guidelines created, published (internally and to external partners), communicated and
are they checked in regular time intervals?

(Reference to ISO 27002: Control 5.1.1 and 5.1.2)

6 Organization of Information Security

6.1 To what extent are responsibilities for information security defined and allocated?
(Reference to ISO 27002: Control 6.1.1)

6.2 To what extent are information security requirements taken into account in project work (irrespective of project type)?

(Reference to ISO 27002: Control 6.1.5)

6.3 To what extent is a policy in place regarding the use of mobile devices and remote access to company data?

(Reference to ISO 27002: Control 6.2.1 and 6.2.2)

7 Human Resources Security

7.1 To what extent is staff (internal and external) contractually bound to comply with information security policies?

(Reference to ISO 27002: Control 7.1.2 and 7.3.1)

7.2 To what extent is staff (internal and external) made aware of and trained about the risks that arise when handling and
processing information?
(Reference to ISO 27002: Control 7.2.1 and 7.2.2)

8 Asset Management
8.1 To what extent are physical and digital assets that contain information (information objects) recorded in a directory?

(Reference to ISO 27002: Control 8.1.1, 8.1.2, 8.1.3, and 8.1.4)

8.2 To what extent is information classified regarding the corresponding protection level?
(Reference to ISO 27002: Control 8.2.1, 8.2.2, and 8.2.3)

8.3 To what extent are appropriate procedures implemented for the management of information on mobile storage devices?

(Reference to ISO 27002: Control 8.3.1, 8.3.2, and 8.3.3)

9 Access Control

9.1 To what extent are policies and procedures existent regarding access to networks and network services?

(Reference to ISO 27002: Control 9.1.2)

9.2 To what extent are procedures for a formal user registration, change and de-registration implemented to enable assignment of
access rights and is the allocation of secret authentication information controlled?

(Reference to ISO 27002: Control 9.2.1, 9.2.2, 9.2.4, and 9.2.5)

9.3 To what extent is the allocation and use of privileged access rights restricted and controlled?
(Reference to ISO 27002: Control 9.2.3)

420173023.xlsx /
Printed on: 05/11/2019 Page 4 of 8
Questions
 9.4 To what extent have binding policies been defined concerning creation and handling of secret authentication information?

(Reference to ISO 27002: Control 9.3.1 and 9.4.3)

9.5 To what extent is access to information and applications restricted to authorized personnel?
(Reference to ISO 27002: Control 9.4.1 and 9.4.2)

10 Cryptography
10.1 To what extent are rules on the use of cryptography including the management of cryptographic keys (entire lifecycle process)
developed and implemented?
(Reference to ISO 27002: Control 10.1.1)

11 Physical and Environmental Security

11.1 To what extent are secure areas for the protection of sensitive or critical information and information processing facilities
defined, protected and monitored (entrance control)?
(Reference to ISO 27002: Control 11.1.1, and 11.1.2)

11.2 To what extent has the company established measures to protect itself against the effects of natural disasters, malicious
attacks and accidents?
(Reference to ISO 27002: Control 11.1.4)

11.3 To what extent are protective measures established to protect delivery and loading areas from being accessed by
unauthorized persons?
(Reference to ISO 27002: Control 11.1.6)

11.4 To what extent are policies and procedures defined and implemented regarding the use of company equipment, including off-
site use, disposal and re-use?
(Reference to ISO 27002: Control 11.2.5, 11.2.06, and 11.2.7)

12 Operations Security

12.1 To what extent are changes to the organization, business processes, information processing facilities and systems in
accordance with their relevance to Information Security implemented?
(Reference to ISO 27002: Control 12.1.2)

12.2 To what extent are development and testing environments kept separate from productive environments?

(Reference to ISO 27002: Control 12.1.4)

12.3 To what extent are protection controls (e.g. endpoint security) against malware (Viruses, Worms, Trojans, Spyware, ...)
implemented and combined with appropriate user awareness?
(Reference to ISO 27002: Control 12.2.1)

12.4 To what extent are backups created and tested regularly in accordance with an agreed backup policy?
(Reference to ISO 27002: Control 12.3.1)

12.5 To what extent are event-logs (containing e.g. user activities, exceptions, errors and security events) created, stored, reviewed
and protected against modification?
(Reference to ISO 27002: Control 12.4.1, and 12.4.2)

12.6 To what extent are system administrator and system operator activities logged, the logs protected against modification and
regularly reviewed?
(Reference to ISO 27002: Control 12.4.3)

12.7 To what extent is information regarding technical vulnerabilities of information processing systems acquired at an early stage,
assessed and appropriate measures are taken (e.g. patch management)?
(Reference to ISO 27002: Control 12.6.1, and 12.6.2)

12.8 To what extent are audit requirements and activities that are used to check information processing systems planned and
coordinated?
(Reference to ISO 27002: Control 12.7.1)

13 Communications Security
13.1 To what extent are networks managed and controlled to protect information in systems and applications?

(Reference to ISO 27002: Control 13.1.1)

13.2 To what extent are requirements related to security mechanisms and service levels and also management requirements related
to network services identified and documented in service level agreements?

(Reference to ISO 27002: Control 13.1.2)

13.3 To what extent are groups of information services, users and information systems segregated on networks?

(Reference to ISO 27002: Control 13.1.3)

13.4 To what extent are protective measures taken when information is exchanged or transmitted?
(Reference to ISO 27002: Control 13.2.1, and 13.2.3)

13.5 To what extent are non-disclosure agreements applied before an exchange of information and are the requirements or needs
for the protection of information documented and regularly reviewed?
(Reference to ISO 27002: Control 13.2.4)

420173023.xlsx /
Printed on: 05/11/2019 Page 5 of 8
Questions
 14 System acquisition, development and maintenance
14.1 To what extent are security-relevant requirements taken into account for new information systems (incl. systems that are
accessible from the public) and for extensions to existing systems?
(Reference to ISO 27002: Control 14.1.1, 14.1.2, and 14.1.3))

14.2 To what extent are security-relevant aspects taken into account within the software development process (incl. change
management)?
(Reference to ISO 27002: Control 14.2.1 - 14.2.9)

14.3 To what extent are test data created, protected and used in a careful and controlled manner?
(Reference to ISO 27002: Control 14.3.1)

15 Supplier Relationships
15.1 To what extent are information security requirements agreed with suppliers to mitigate risks contractually when suppliers
have access to corporate assets (particularly information and communication services and in case such assets are used by
sub-contractors)?
(Reference to ISO 27002: Control 15.1.1 - 15.1.3)

15.2 To what extent are the services performed by suppliers/sub-contractors monitored, reviewed and audited on a regular basis?

(Reference to ISO 27002: Control 15.2.1)

16 Information Security Incident Management

16.1 To what extent are responsibilities, procedures, reporting channels and criticality levels established to ensure an effective
response to information security incidents or vulnerabilities?
(Reference to ISO 27002: Control 16.1.1 - 16.1.3)

16.2 To what extend is the handling on security events performed?

(Reference to ISO 27002: Control 16.1.4 - 16.1.7)

17 Information Security Aspects of Business Continuity Management

17.1 To what extent are information security requirements (including the redundancy of corresponding facilities) and the
continuation of the ISMS in the event of a crisis defined, implemented, checked and evaluated?

(Reference to ISO 27002: Control 17.1.1 - 17.1.3, and 17.2.1)

18 Compliance
18.1 To what extent are relevant lagal (country-specific), statutory, regulatory and contractual requirements ensured (e.g. protection
of intellectual property rights, use of encryption technology and protection of records)?

(Reference to ISO 27002: Control 18.1.1, 18.1.2, 18.1.3, 18.1.5)

18.2 To what extent is confidentiality and the protection of personal data ensured (taking into account national legislation)?

(Reference to ISO 27002: Control 18.1.4)

18.3 To what extent is the ISMS reviewed independently on a regular basis or in the course of significant changes?

(Reference to ISO 27002: Control 18.2.1)

18.4 To what extent is the effectiveness of policies, guidelines and other relevant information security standards reviewed and
documented (relevant procedures and processes, incl. technical tests)?
(Reference to ISO 27002: Control 18.2.2, 18.2.3)

420173023.xlsx /
Printed on: 05/11/2019 Page 6 of 8
Questions
 Author:
Study group Information Security of the
German Association of the Automotive Industry

License:
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en

420173023.xlsx /
Printed on: 05/11/2019 Page 7 of 8
License
 1.0 First Release (Initial build)

1.1 Change open questions to enclosed questions

More precise level descriptions
Inserting examples from practises
Spelling errors corrected

1.2 8.2 and 10.1 reference adjustment

10.2 change from production to productive environment
10.5 change from IDS/IPS to HIDS/HIPS
11.2 change of the translation
11.3 and 11.4 restructuring of controls

1.3 11.4 add "IT systems"

9.4 revise Maturity Level 2

2.0 Revision due to the new edition of ISO 27002:2013

Adjustment of the maturity levels

2.01 Fix for error in calculation and spider digram

2.1.0 Revision of the maturity levels, corrections of some controls

2.1.1 Release version 2.1

2.1.2 Print area adjusted

2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
Control 13.5 revised
All other controls with version 2.1.3 translation revised

420173023.xlsx /
Printed on: 05/11/2019 Page 8 of 8
Change History