Screen Reader Mode Icon
Identifying, analysing and managing cyber risks are essential to any cyber security programme.

Cyber resilience moves beyond that.

Take this brief self-assessment now to establish where your organisation is positioned on the cyber resilience maturity scale.

The survey consists of 26 short questions against which to rank your maturity. It should only take you 5 minutes to complete.

By taking this assessment, you will discover:

1. Your maturity against each of 26 key cyber resilience control areas in the IT Governance Cyber Resilience Framework.
2. The potential gaps in your cyber security programme as highlighted across 4 core sections.
3. How your organisation ranks in terms of overall cyber resilience.
4. Ways in which you can improve your cyber resilience posture.

Assess your cyber resilience now!
Cyber security controls should be implemented as part of a careful process of risk management. However, eliminating threats isn’t always possible, so protecting against them without disrupting business innovation and growth should be the top priority for executive teams. 

To what extent has your organisation implemented the following? 

Question Title

* 1. Malware protection

Software and other technical measures to protect your computer systems and information from a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware).

Question Title

* 2. Information and security policies

Documents that state how your organisation plans to protect its physical and information assets.

Question Title

* 3. Formal information security management programme

A structured approach to securing information assets across the organisation that takes people, processes and technologies into account.

Question Title

* 4. Identity and access control

Measures to ensure that the person attempting to access information is who they say they are and that they are authorised to access that information

Question Title

* 5. Security teams are competent and receive regular training

Security teams are suitably qualified and regularly trained on how to respond to cyber security incidents.

Question Title

* 6. Security staff awareness training

Employees receive regular cyber security awareness training, and are aware of security threats and procedures.

Question Title

* 7. Encryption

The organisation has a documented process defining when and how encryption is applied to protect information, taking into account information both in transit and at rest.

Question Title

* 8. Physical and environmental security

Physical and environmental security controls reduce the risk posed by threats within the physical environment, including natural or environmental hazards, and physical intrusion by unauthorised individuals.

Question Title

* 9. Patch management

The organisation has a process defining how software on computers and network devices is kept up to date.

Question Title

* 10. Network and communications security

The organisation’s network infrastructure is secured with appropriate technologies and processes, such as switches, firewalls, segregation and DMZs.

Question Title

* 11. Systems security

Systems are designed to be secure, including both internally- and externally-facing systems such as web applications and databases.

Question Title

* 12. Asset management

Assets (both information and physical) are logged, tracked and managed throughout their lifecycle. Each asset has a defined ‘owner’ who is responsible for it.

Question Title

* 13. Supply chain risk management

The organisation has measures in place to secure information throughout the supply chain, such as security requirements in contracts, non-disclosure agreements and rules for information sharing. This takes into account the whole supply chain, including physical suppliers, software vendors, Cloud service providers, and so on.

Detecting cyber attacks and data breaches early will help you stay one step ahead of cyber criminals. But criminals are not the only threats: disgruntled or sloppy employees might release sensitive information, or processes might fail.

To what extent has your organisation implemented the following?

Question Title

* 14. Security monitoring

The organisation’s systems, networks and security measures are continually observed and logged, often through automated means, and through less frequent activities such as vulnerability scanning and penetration testing. Any identified anomalies and weaknesses are acted upon.

Question Title

* 15. Active detection

The organisation actively seeks to detect incidents (for example, by manually reviewing audit logs and gathering intelligence from outside the organisation). Measures are in place to help detect malicious activity that may be otherwise difficult to identify.

Establishing processes to quickly respond to and report on cyber attacks and data breaches is paramount.

To what extent has your organisation implemented the following?

Question Title

* 16. Incident response management

Plans, defined roles, training, communications and management oversight for quickly discovering an incident and effectively containing the damage, eradicating the threat, and restoring the integrity of affected network and systems.

Question Title

* 17. ICT (information and communication technology) continuity management

ICT services are resilient in the event of disaster, and can be recovered within timescales agreed with senior management.

Question Title

* 18. Business continuity management 

A framework for identifying the risk of exposure to internal and external threats, and for dealing with major disruptions like cyber attacks, floods and supply failures.

Question Title

* 19. Information sharing and collaboration

Threat and vulnerability information is shared among suppliers and partners to enhance the collective ability to proactively detect, prevent, mitigate, respond to and recover from cyber security incidents.

Governance is the key ingredient that binds together all the core elements of cyber security and effective risk management, and aligns them with the organisation’s business objectives. Without effective governance, executive teams and the board remain uninformed and unaware of their organisation’s risk exposure – despite being held accountable for the organisation’s failures.

To what extent has your organisation implemented processes to address the following?

Question Title

* 20. Measures to meet legal and regulatory requirements for cyber security, such as the GDPR, the PCI DSS, the NIS Regulations and NHS requirements

The organisation has a set of processes to identify its legal and regulatory obligations, and measures to meet those obligations.

Question Title

* 21. Comprehensive risk management programme

A structured and ongoing process of identifying, assessing and responding to cyber and information security risks.

Question Title

* 22. Continual improvement process 

A process to continually review and improve the organisation’s security measures, and to adapt to the changing threat landscape.

Question Title

* 23. Governance structure and processes

The organisation has clear governance structures and defined lines of responsibility and accountability to oversee its cyber security and resilience processes.

Question Title

* 24. Board-level commitment and involvement

The board endorses, supports and participates in the cyber security strategy and receives regular updates on security issues, risks and compliance.

Question Title

* 25. Internal audit

A programme of regular audits assesses the organisation’s information security controls. The results are assessed as part of a senior management review.

Question Title

* 26. External validation/certification to standards or frameworks

Certification to international standards or established cyber security frameworks provides external validation of your organisation’s cyber security and resilience, and can provide assurance to customers and other stakeholders.

0 of 26 answered
 

T