ISO27k Information Security Program Assessment T

This assessment tool was created to evaluate the maturity of information security programs using as a framework the Inter
Technology Security Techniques. Code of Practice for Information Security Management." This tool was intended for use by
also use it to help determine the maturity of its individual information security program. The assessment should be perform
familiar with the environment. There are a total of 101 questions and it takes on average about 4 hours to complete the ass

The self-assessment has been designed to be completed annually or at the frequency the organization feels is appropriate t
21827:2008 framework for scoring maturity, which scales from 0 to 5, with 5 being the highest level of maturity:

0. Not Performed
1. Performed Informally
2. Planned
3. Well Defined
4. Quantitatively Controlled
5. Continuously Improving

The organization can achieve the same maturity rating by substituting CMMI, NIST, COBIT, or another maturity framework t
Definitions for the ISO 21827:2008 maturity levels and the other ratings can be found on the "Scoring" tab of the spreadshe
current as well as desired level of maturity, from 0 through 5. Each ISO section will be added up, then averaged to provide a

Below is a summary of the focus of each section used in the tool:

Information Security Policies (ISO 5): Assess how an organization expresses its intent with regard to information security.
Organization of Information Security (ISO 6): Assess how an organization manages its information security across the entir
support and provides overall direction.
Human Resource Security (ISO 7): Assess an organization's safeguards and processes for ensuring that all employees are qu
duties and that access is removed once employment is terminated.
Asset Management (ISO 8): Assess an organization's asset management program. Does it include ways to identify, track, cla
are adequately protected?
Access Control (ISO 9): Assess an organization's use of administrative, physical, or technical security features to manage ho
resources.
Cryptography (ISO 10): Assess an organization's policies on the use of cryptography (encryption) and key management.
Physical and Environmental Security (ISO 11): Assess an organization's steps taken to protect systems, buildings, and relate
environment.
Operations Security (ISO 12): Assess an organization's formalized policies, procedures, and controls, which assist in data an
Communications Security (ISO 13): Assess an organization's formalized policies, procedures, and controls, which assist in n
System Acquisition, Development, and Maintenance (ISO 14): Assess whether an organization has security requirements e
an information system.
Supplier Relationships (ISO 15): Assess how an organization interacts with third parties to adequately secure the informatio
manage.
Information Security Incident Management (ISO 16): Assess an organization's information security incident management p
equipped to detect, report, and respond to adverse events.
Information Security Aspects of Business Continuity Management (ISO 17): Assess an organization's business continuity m
the development of procedures to ensure the continuity of operations under extraordinary circumstances including the ma
information resources.
Compliance (ISO 18): Assess an organization's processes for staying current with legal and contractual requirements to prot

© ISO27k Forum & EDUCAUSE 2018

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives

The copyright in parts of this document belong to ISO/IEC. They own the standards! We are reliant on the fair use provision
of their content here, encouraging widespread adoption of the ISO27k standards.

Brought to You by the ISO27k Forum, EDUCAUSE Cybersecurity Program, and the Higher Education Information Security
This assessment tool is a fork contributed to the ISO27k toolkit based on HEISCJuly2018 (Information Security Program Asse
and created by volunteers from the Higher Education Information Security Council (HEISC). The Cybersecurity Program supp
governance, compliance, data protection, and privacy programs. HEISC is a volunteer effort open to all higher education inf
view additional resources at https://educause.edu/security. For any feedback related to the tool, send an email to security-

Revision History
11/15/2018. Initial release, contributed by Bachir Benyammi and revised by Valerie Vogel
of their content here, encouraging widespread adoption of the ISO27k standards.

Brought to You by the ISO27k Forum, EDUCAUSE Cybersecurity Program, and the Higher Education Information Security
This assessment tool is a fork contributed to the ISO27k toolkit based on HEISCJuly2018 (Information Security Program Asse
and created by volunteers from the Higher Education Information Security Council (HEISC). The Cybersecurity Program supp
governance, compliance, data protection, and privacy programs. HEISC is a volunteer effort open to all higher education inf
view additional resources at https://educause.edu/security. For any feedback related to the tool, send an email to security-

Revision History
11/15/2018. Initial release, contributed by Bachir Benyammi and revised by Valerie Vogel
 ecurity Program Assessment Tool

using as a framework the International Organization for Standardization (ISO) 27002:2013 "Information
s tool was intended for use by any organization as a whole, although a unit within an organization may
assessment should be performed by an information security officer, consultant, auditor, or equivalent,
out 4 hours to complete the assessment.

ganization feels is appropriate to track its security maturity. The assessment tool uses the ISO
st level of maturity:

another maturity framework that may be more familiar, with the same numeric 0 through 5 score.
"Scoring" tab of the spreadsheet. Each question should be answered by selecting the appropriate
up, then averaged to provide a maturity assessment for the given section.

gard to information security.

mation security across the entire enterprise, including how the organizational leadership commits its

uring that all employees are qualified for and understand their roles and responsibilities of their job

clude ways to identify, track, classify, and assign ownership for the most important assets to ensure they

ecurity features to manage how users and systems communicate and interact with other information

tion) and key management.

t systems, buildings, and related supporting infrastructure against threats associated with their physical

ontrols, which assist in data and system protection.

and controls, which assist in network management and operation.
on has security requirements established as an integral part of the development or implementation of

dequately secure the information and technology resources that third parties access, process, and

ecurity incident management program. An effective program will ensure personnel are trained and

nization's business continuity management. A mature institution has a managed, organized method for
ircumstances including the maintenance of measures to ensure the privacy and security of its

ntractual requirements to protect sensitive information assets.

NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0)

eliant on the fair use provisions of copyright law and the goodwill of ISO/IEC to reproduce a small part

ducation Information Security Council

rmation Security Program Assessment Tool) which is a part of the EDUCAUSE Cybersecurity Program
he Cybersecurity Program supports higher education institutions as they improve information security
pen to all higher education information security, privacy, and other IT professionals. Learn more and
ool, send an email to security-council@educause.edu.
ducation Information Security Council
rmation Security Program Assessment Tool) which is a part of the EDUCAUSE Cybersecurity Program
he Cybersecurity Program supports higher education institutions as they improve information security
pen to all higher education information security, privacy, and other IT professionals. Learn more and
ool, send an email to security-council@educause.edu.
Score ISO/IEC 21827:2008
0 Not Performed
1 Performed Informally
2 Planned
3 Well Defined
4 Quantitatively Controlled
5 Continuously Improving
Definition CMMI
There are no security controls or plans in place. The controls are
nonexistent. Non-existent
Base practices of the control area are generally performed on an ad hoc
basis. There is general agreement within the organization that identified
actions should be performed, and they are performed when required. The
practices are not formally adopted, tracked, and reported on. Initial
The base requirements for the control area are planned, implemented,
and repeatable. Managed
The primary distinction from Level 2, Planned and Tracked, is that in
addition to being repeatable the processes used are more mature:
documented, approved, and implemented organization-wide. Defined
The primary distinction from Level 3, Well Defined, is that the process is
measured and verified (e.g., auditable). Quantitatively Managed
The primary distinction from Level 4, Quantitatively Controlled, is that the
defined, standard processes are regularly reviewed and updated.
Improvements reflect an understanding of, and response to, a
vulnerability's impact. Optimized
NIST COBIT

Non-existent Non-existent

Policies Initial/Ad-hoc

Procedures Repeatable but Intuitive

Implementation Defined Process

Test Managed & Measurable

Integration Optimized
INSTITUTION NAME GOES HERE 12/11/2019 7

ID Questions
No.
Risk Management (ISO 27005:2011)

1 Does the organization have a person or group has the role and responsibility for an ongoing process of
evaluating the probability that known threats will exploit vulnerabilities and the resulting the impact on
valuable assets. Risk management also assigns relative priorities for mitigation plans and implementation.

2 Does the organization have a process for identifying and assessing reasonably foreseeable internal and
external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records
containing sensitive information?

3 Does the organization conduct routine risk assessments to identify the key objectives that need to be
supported by the information security program?

Information Security Policies (ISO 5)

4 Does the organization have an information security policy that has been approved by management?

5 Has the security policy been published and communicated to all relevant parties?

6 Does the organization review the security policy at defined intervals to encompass significant change and
monitor for compliance?

Organization of Information Security (ISO 6)

INSTITUTION NAME GOES HERE 12/11/2019 8

7 Does the information security function have the authority it needs to manage and ensure compliance with
the information security program?

8 Does the organization have an individual with enterprise-wide information security responsibility and
authority written in their job description, or equivalent?

9 Is responsibility clearly assigned for all areas of the information security architecture, compliance,
processes, and audits?

10 Is there a formal process for having the individual with information security responsibility assess and sign off
on appropriate hardware, software, and services, ensuring they follow security policies and requirements?

11 Does the organization maintain relationships with local authorities?

12 Does the organization participate with local, national or international security groups, associations and
agencies?

13 Does the organization have independent security reviews completed at planned intervals or when significant
changes to the environment occur?

Human Resource Security (ISO 7)

14 Do all individuals interacting with the organization information system receive information security
awareness training?

15 Does the organization conduct specialized role-based training?

16 Do the information security programs clearly state responsibilities, liabilities, and consequences?
INSTITUTION NAME GOES HERE 12/11/2019 9

17 Does the organization have a process for revoking system and building access and returning assigned assets?

18 Does the organization have a process for revoking system access when there is a position change or when
responsibilities change?

Asset Management (ISO 8)

19 Has the organization identified critical information assets and the functions that rely on them?

20 Does the organization classify information to indicate the appropriate levels of information security?

Access Control (ISO 9)

21 Does the organization have an access control policy for authorizing and revoking access rights to information
systems?

22 Does the organization have a process in place for granting and revoking appropriate user access?

23 Does the organization have a password management program that follows current security standards?

24 Does the organization have procedures to regularly review users' access to ensure only needed privileges
are applied?

25 Does the organization employ specific measures to secure remote access services?

26 Does the organization employ technologies to block or restrict unencrypted sensitive information from
traveling to untrusted networks?
INSTITUTION NAME GOES HERE 12/11/2019 10

27 Does the organization have mechanisms in place to manage digital identities (accounts, keys, tokens)
throughout their life cycle, from registration through termination?

28 Is there a policy in place to restrict the sharing of passwords?

29 Does the organization prohibit use of generic accounts with privileged access to systems?

30 Does the organization have an authentication system in place that applies higher levels of authentication to
protect resources with higher levels of sensitivity?

31 Does the organization have an authorization system that enforces time limits lockout on login failure and
defaults to minimum privileges?

32 Does the organization have standards for isolating sensitive data and procedures and technologies in place
to protect it from unauthorized access and tampering?

33 Does the organization have usage guidance established for mobile computing devices (regardless of
ownership) that store, process, or transmit organizational data?

34 Does the organization require encryption on mobile (i.e., laptops, tablets, etc.) computing devices?

35 Does the organization have a telework (remote work) policy that addresses multifactor access and security
requirements for the endpoint used?

Cryptography (ISO 10)

36 Does the organization use appropriate or vetted encryption methods to protect sensitive data in transit?
INSTITUTION NAME GOES HERE 12/11/2019 11

37 Do the policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive or
confidential data, etc.)?

38 Are standards for key management documented and employed?

Physical and Environmental Security (ISO 11)

39 Does the organization's data centers include controls to ensure that only authorized parties are allowed
physical access?

40 Does the organization have preventative measures in place to protect critical hardware and wiring from
natural and man-made threats?

41 Does the organization have a process for issuing keys, codes, and/or cards that require appropriate
authorization and background checks for access to these sensitive facilities?

42 Does the organization follow vendor-recommended guidance for maintaining equipment?

43 Does the organization have a media-sanitization process that is applied to equipment prior to disposal,
reuse, or release?

44 Are there processes in place to detect the unauthorized removal of equipment, information, or software?

Operations Security (ISO 12)

45 Does the organization maintain security configuration standards for information systems and applications?
INSTITUTION NAME GOES HERE 12/11/2019 12

46 Are changes to information systems tested, authorized, and reported?

47 Are duties sufficiently segregated to ensure unintentional or unauthorized modification of information is

detected?

48 Are production systems separated from other stages of the development life cycle?

49 Does the organization have processes in place to monitor the utilization of key system resources and to
mitigate the risk of system downtime?

50 Are methods used to detect, quarantine, and eradicate known malicious code on information systems
including workstations, servers, and mobile computing devices?

51 Are methods used to detect and eradicate known malicious code transported by electronic mail, the web, or
removable media?

52 Is the data backup process frequency consistent with the availability requirements of the organization?

53 Does the organization have a process for posture checking, such as current antivirus software, firewall
enabled, OS patch level, etc., of devices as they connect to your network?

54 Does the organization have a segmented network architecture to provide different levels of security based
on the information's classification?

55 Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS, host IDS,
application IDS)?

56 Are controls in place to protect, track, and report status of media that has been removed from secure
organization sites?

57 Does the organization have a process in place to ensure data related to electronic commerce (e-commerce)
traversing public networks is protected from fraudulent activity, unauthorized disclosure, or modification?
INSTITUTION NAME GOES HERE 12/11/2019 13

58 Are security-related activities such as hardware configuration changes, software configuration changes,
access attempts, and authorization and privilege assignments automatically logged?

59 Does the organization have a process for routinely monitoring logs to detect unauthorized and anomalous
activities?

60 Does the organization record the log reviews (recertification/attestation)?

61 Are steps taken to secure log data to prevent unauthorized access and tampering?

62 Does the organization regularly review administrative and operative access to audit logs?

63 Are file-integrity monitoring tools used to alert personnel to unauthorized modification of critical system
files, configuration files, or content files and to configure the software to perform critical file comparisons at
least weekly?

64 Does the organization have a process to ensure synchronization of system clocks with an authoritative
source (e.g., via NTP) on a periodic basis commensurate with the potential risks?

Communications Security (ISO 13)

65 Does the organization require the use of confidentiality or nondisclosure agreements for employees and
third parties?

66 Does the organization routinely test your restore procedures?

67 Does the organization continuously monitor your wired and wireless networks for unauthorized access?

68 Does the organization have policies and procedures in place to protect exchanged information (within the
organization and in third-party agreements) from interception, copying, modification, misrouting, and
destruction?
INSTITUTION NAME GOES HERE 12/11/2019 14

69 Does the organization ensure that user access to diagnostic and configuration ports is restricted to
authorized individuals and applications?

70 Does the organization employ specific measures to prevent and detect rogue access points for all of your
wireless LANs?

Systems Acquisition, Development, and Maintenance (ISO 14)

71 Does the organization have a process for validating the security of purchased software products and
services?

72 Are new information systems or enhancements to existing information systems validated against defined
security requirements?

73 Have standards been established that address secure coding practices (e.g., input validation, proper error
handling, session management, etc.), and take into consideration common application security
vulnerabilities (e.g., CSRF, XSS, code injection, etc.)?

74 Are validation checks incorporated into applications to detect any corruption of information through
processing errors or deliberate acts?

75 Are processes in place to check whether message integrity is required?

76 Incorrect output may occur, even in tested systems. Does the organization have validation checks to ensure
data output is as expected?

77 Does the organization establishes procedures for maintaining source code during the development life cycle
and while in production to reduce the risk of software corruption?
INSTITUTION NAME GOES HERE 12/11/2019 15

78 Does the organization applies the same security standards for sensitive test data that applies to sensitive
production data as well?

79 Does the organization restrict and monitor access to source code libraries to reduce the risk of corruption?

80 Does the organization have a configuration-management process in place to ensure that changes to critical
systems are for valid business reasons and have received proper authorization?

81 Are reviews and tests performed to ensure that changes made to production systems do not have an
adverse impact on security or operations?

82 Does the organization implemented tools and procedures to monitor for and prevent loss of sensitive data?

83 Do contract agreements include security requirements for outsourced software development?

84 Does the organization have a patch management strategy in place and responsibilities assigned for
monitoring and promptly responding to patch releases, security bulletins, and vulnerability reports?
INSTITUTION NAME GOES HERE 12/11/2019 16

Supplier Relationships (ISO 15)

85 Does the organization specify security requirements in contracts with external entities (third party) before
granting access to sensitive organizational information assets?

86 Are requirements addressed and remediated prior to granting access to data, assets, and information
systems?

87 Do agreements for external information system services specify appropriate security requirements?

88 Does the organization have a process in place for assessing that external information system providers
comply with appropriate security requirements?

89 Is external information system services provider compliance with security controls monitored?

90 Are external information system service agreements executed and routinely reviewed to ensure security
requirements are current?

Information Security Incident Management (ISO 16)

91 Are incident-handling procedures in place to report and respond to security events throughout the incident
life cycle, including the definition of roles and responsibilities?

92 Are the incident response staff aware of legal or compliance requirements surrounding evidence collection?

Information Security Aspects of Business Continuity Management (ISO 17)

INSTITUTION NAME GOES HERE 12/11/2019 17

93 Does the organization have a documented business continuity plan for information technology that is based
on a business impact analysis, is periodically tested, and has been reviewed and approved by senior staff or
the board of trustees?

Compliance (ISO 18)

94 Does the organization have a records management or data governance policy that addresses the life cycle of
both paper and electronic records at your organization?

95 Does the organization have an enforceable data protection policy that covers personally identifiable
information (PII)?

96 Does the organization have an Acceptable Use Policy that defines misuse?

97 Does the organization provide guidance for the community on export control laws?

98 Are standard operating procedures periodically evaluated for compliance with the organization's security
policies, standards, and procedures?

99 Does the organization perform periodic application and network layer vulnerability testing or penetration
testing against critical information systems?

100 Does the organization performs independent audits on information systems to identify strengths and
weaknesses?

101 Are audit tools properly separated from development and operational system environments to prevent any
misuse or compromise?

Average maturity (percentage & levels)

INSTITUTION NAME GOES HERE 12/11/2019 18

Current Current
Description
Maturity Level Score

0.00

e.g., Risk management program.

Not Performed 0

Not Performed 0

Not Performed 0

0.00

A published policy that has been approved by upper management.

Not Performed 0

Is it freely available on a website, handbook, or is shared with employees when they are first
hired? Not Performed 0

Is the policy being audited as well as audited against it during a defined interval?
Not Performed 0

0.00
INSTITUTION NAME GOES HERE 12/11/2019 19

Does the individual or group responsible for information security have the necessary buy-in and
support from the rest of the organization to fulfill its function, including setting policy, issuing
sanctions, prioritizing funding, etc.? Not Performed 0

Is there a dedicated, established role (e.g., CIO, CISO, CSO, or other) for information security
across the organization? Someplace where the 'buck stops'? Not Performed 0

Information security comprises many different functional areas. Have resources been formally
designated to cover each of the areas mentioned? Not Performed 0

Is information security assessment a formal part of the life cycle when bringing in new equipment,
software, and/or services? Not Performed 0

e.g., local law enforcement bodies (police, security agencies, district attorney's office, etc.)
Not Performed 0

e.g., InfraGard, ISACA, ISSA, ENISA, ANSSI, etc.

Not Performed 0

e.g., external audits, penetration tests, scans, etc.

Not Performed 0

0.00

Online, in person, or a combination of events, newsletters, e-mails, etc., with security awareness
training. Threshold is defined by organization and compliance requirements. Not Performed 0

For example, HIPAA for staff in the counseling center or PCI training for cashiers.
Not Performed 0

Are employee responsibilities, liabilities (impediments to successfully carrying out responsibilities),

and penalties for noncompliance clearly outlined and communicated? Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 20

For example, an off-boarding process that requires sign-off and debrief.

Not Performed 0

Identity and access management system that automates revocation or a manual process that
processes employment or role changes and produces auditable records of any changes. Not Performed 0

0.00

This question is looking at whether a formal or informal business impact analysis has occurred. Has
anyone in the organization identified information assets that are considered essential to the
business and the systems that support them, for continuity or otherwise? Not Performed 0

Agreed-upon classifications (for example, confidential, official-use only, and unrestricted) are
defined and applied. Not Performed 0

0.00

Not Performed 0

Not Performed 0

A password management program enforces secure password attributes such as password length,
maximum age, character requirements, and uniqueness (history). Not Performed 0

Not Performed 0

Specific measures might include allowed methods, usage restrictions, monitoring, authorization,
and enforcement. Not Performed 0

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 21

Digital identities should be managed from the time they are issued, upon any privilege changes,
and through termination. Management includes things like issuing unique accounts should be
unique for each user maintaining the minimum privileges needed to perform job duties. Not Performed 0

Not Performed 0

A generic account is one that is shared by multiple individuals. There are certain situations in
which generic accounts cannot be avoided (e.g., root for Linux or Administrator for Windows). In
these cases compensating controls should be put in place, such as logging. Not Performed 0

Having more secure authentication mechanisms such as more complex passwords or multifactor
authentication. Not Performed 0

What is the length of time the account is locked before it is 'automatically' unlocked?
Not Performed 0

Not Performed 0

e.g., BYOD policy

Not Performed 0

Not Performed 0

Authentication factors include something you know, something you have, or something you are.
Not Performed 0

0.00

Some encryption algorithms are deprecated due to weaknesses. Some algorithms are
inappropriate in selected situations. Do you review these details? Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 22

Are there any published security standards in place that dictate appropriate security controls
based on data sensitivity or classification? Do those standards include encryption controls? Not Performed 0

Are there any specific required algorithms in place for encryption and digital signing? Are there any
standards in place for symmetric and asymmetric key sizes ? Are encryption keys required to be
periodically changed? Are there any procedures for revoking encryption keys? Not Performed 0

0.00

e.g., escort required, biometrics, cameras, badges, etc.

Not Performed 0

such as redundancy and backup plans, procedures, and technology that are in place to restore
operations in case of disaster" Not Performed 0

Documentation and staff are assigned responsibility for authorizing, facilitating, or performing
background checks and issuing devices or codes that provide access once authorization is received.
Evidence that process has been followed and is routinely audited against.
Not Performed 0

Such as minimum system requirements, maintenance schedules, etc.

Not Performed 0

Documented process that describes how media is sanitized through contract or assigned staff use
approved methods. In some cases verified or certified disposal may be appropriate. Not Performed 0

Routine review of inventories, staff assigned to respond to alarms, staff visually monitoring,
cameras being reviewed. Not Performed 0

0.00

How mature are the 'hardening' standards for various platforms to provide stronger security
settings than provided as-shipped? Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 23

Is there any change control process in place for production systems such that changes are simply
not made 'on the fly' by programmers, system administrators, DBAs, or others ? Not Performed 0

How good is the separation of duties? Do developers have access to production? DBAs unaudited
access to production databases? Not Performed 0

On separate platforms? Separate access control? Monitored more carefully?

Not Performed 0

For example, monitoring CPU utilization and free disk space across a range of production systems.
Not Performed 0

Antivirus and similar. Note that malicious code includes 'logic bombs' planted by malicious insiders.
Not Performed 0

Anti-malware in e-mail gateways, web proxies, and endpoints.

Not Performed 0

If the data has to be restore, is it backed up frequently enough that nothing important would be
lost? Not Performed 0

This is sometimes known as Network Admission/Access Control (NAC).

Not Performed 0

Does more sensitive information use a separate portion of the network?

Not Performed 0

Note that an 'all-in-one' or 'multifunction' or 'next-generation firewall' device provides multiple

layers in one piece of hardware, the question is about functionality, not number of boxes. Not Performed 0

Is the removal of media from the site documented in a log? Note that this is for 'secure sites', so it
covers taking tapes from a data center, not thumb drives from an office. Not Performed 0

Credit cards, bank transfers, electronic purchase orders, etc.

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 24

This includes both logging by the operating system/software and other logging, such as in a
ticketing system or knowledgebase. Not Performed 0

Not Performed 0

It is desirable to record that someone reviews logs or log summaries.

Not Performed 0

This includes techniques such as remote logging to another system.

Not Performed 0

Logs can be manipulated to cover up malicious activity.

Not Performed 0

Not Performed 0

Time synchronization using atomic clocks or network time sources.

Not Performed 0

0.00

Not Performed 0

Backups sometimes fail, and staff sometimes aren't familiar with restore procedures in a crisis.
Testing mitigates these issues. Not Performed 0

By unauthorized users and for unauthorized fake access points or devices manipulating traffic.
Not Performed 0

Data 'feeds' between systems and organizations are frequently a weak point. How strongly does
such all feeds are being secured and monitored?
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 25

Not Performed 0

Not Performed 0

0.00

e.g., review of security settings/posture and evaluation/audit of those settings.

Not Performed 0

e.g., CIS audit benchmarks

Not Performed 0

e.g., OWASP secure development framework

Not Performed 0

Do applications filter input (i.e., input validation) to ensure only expected characters are processed
(e.g., only numbers are entered into a zip code field)? Do applications check size and format of
data (e.g., does an SSN appear as ###-##-####)? Not Performed 0

Integrity controls are often employed inline with encryption controls for sensitive data
transmission. Are there any published security standards in place that dictate appropriate security
controls based on data sensitivity or classification? Do those standards include integrity controls
(e.g., digital signing)? Not Performed 0

Do applications perform checks to ensure output is reasonable and expected (i.e., output
validation)? Is sensitive data redacted in output (e.g., replace first five of SSN with asterisks). Not Performed 0

Does the organization maintains a source code repository? Does the repository maintain a history?
Are checksums for source code maintained? Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 26

Data should be safeguarded based on its classification or level of sensitivity, not based on the type
of environment that is storing and/or processing the data. Does the organization have a data
classification scheme? Are safeguards prescribed based on data classification?
Not Performed 0

Does the organization maintains a source code repository? Does this source code repository
require authentication? Is access to source code based on the rule of least privilege? Is access to
source code audited? Not Performed 0

Are changes to critical systems documented? Does this documentation include a business case?
Are changes reviewed and approved by management prior to implementation? Are changes
accepted by the system or application owner? Not Performed 0

Are changes evaluated for impact on existing security controls? Are vulnerability scans performed
after a change has been implemented? Is more thorough testing performed on an annual basis?
Are business continuity and disaster recovery plans updated as appropriate? Not Performed 0

Tools and procedures may include IDS/IPS, network flow monitoring tools (e.g., NetFlow, Argus,
etc.), data loss prevention or content monitoring solutions for Internet and/or e-mail gateways,
masking of sensitive data where there is not a business need, multifactor authentication to
systems that store sensitive data, physical access controls for facilities that store sensitive data, etc. Not Performed 0

Is it required for source code to be escrowed? Do the right to audit the quality and security of
source code is reserved? Do the ownership of intellectual property is established? Is the notice of
security breaches required? Not Performed 0

Is there any accurate inventory of software systems in place? Are there any alert mechanisms
established for newly discovered vulnerabilities in these software systems? Are there any
processes in place for evaluating the criticality of newly released security patches? Are there any
maintenance schedules and exception procedures established for critical security patches? Are Not Performed 0
there any regular system scans for vulnerabilities and report findings to system and/or application
owners?
INSTITUTION NAME GOES HERE 12/11/2019 27

0.00

How does much the organization formalized outsider access to its resources (e.g., networks,
systems, data) is secured? Not Performed 0

e.g., Does the organization have controls in place that detect failure to meet minimum
requirements and block access until such deficiencies are corrected? Not Performed 0

For example, security requirements described in service providers' contracts.

Not Performed 0

Does the organization performs risk assessments or reviews of external vendors prior to working
with them? Not Performed 0

Does the organization audits or otherwise monitors the security of external vendors over time?
Not Performed 0

For example, contracts undergo an annual security review.

Not Performed 0

0.00

Not Performed 0

Not Performed 0

0.00
INSTITUTION NAME GOES HERE 12/11/2019 28

Is there any well-defined IT disaster recovery plan in place, supporting business continuity plan,
and/or incident response plan? Is it being tested on a regular basis, either by holding table top
exercises or through an actual working exercise that involves recovering data according to the
published plan? Has this plan been vetted by business partners and/or trustees by validating the Not Performed 0
results of a business impact analysis?

0.00

Also known as a Data Retention Policy.

Not Performed 0

Does the organization defined data classes, such as confidential, secure, protected, etc.? Are there
well-defined policies around these data types noting how the data should be stored and used?
Not Performed 0

Misuse of data or resources.

Not Performed 0

Are these policies published on a website or handbook? Is there a well-known subject matter
expert who can be consulted if questions arise? Not Performed 0

Are there any checks for departments' procedures against the latest organization policies to make
sure they do not introduce exposures to their data or risk into their environment? Not Performed 0

Is there any regular penetration testing that is being perform? Are there any tools that check for
vulnerabilities are being used on a regular basis? Not Performed 0

Are there any outside auditors or firms being called to validate data security?
Not Performed 0

Are audit tools being kept away from unauthorized personnel so they can't find out about where
the vulnerabilities may be and how to exploit them? Not Performed 0

0% Current State 0.00

INSTITUTION NAME GOES HERE 12/11/2019 29

Desired Desired Notes

Maturity Level Score

0.00

Not Performed 0

Not Performed 0

Not Performed 0

0.00

Not Performed 0

Not Performed 0

Not Performed 0

0.00
INSTITUTION NAME GOES HERE 12/11/2019 30

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

0.00

Not Performed 0

Not Performed 0

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 31

Not Performed 0

Not Performed 0

0.00

Not Performed 0

Not Performed 0

0.00

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 32

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

0.00

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 33

Not Performed 0

Not Performed 0

0.00

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

0.00

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 34

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 35

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

0.00

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 36

Not Performed 0

Not Performed 0

0.00

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 37

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 38

0.00

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

0.00

Not Performed 0

Not Performed 0

0.00
INSTITUTION NAME GOES HERE 12/11/2019 39

Not Performed 0

0.00

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Not Performed 0

Desired State 0.00

ID No. # ISO 27002:2013 NIST SP 800-53 r4 Controls NIST 800-171 r1 Controls
Risk Management (ISO 27005:2011)
1 No direct mapping, see ISO 27005 (risk management) RA-1 3.11.1

2 No direct mapping, see ISO 27005 (risk management) RA-2 3.11.1

3 No direct mapping, see ISO 27005 (risk management) RA-3 3.11.1

Information Security Policies (ISO 5)

4 5. Information Security Policies PL Family
5 5.1 Management direction for information security PL Family

6 5.1.1 Policies for information security PL Family 3.12.4

Organization of Information Security (ISO 6)
7 7.2.1 Management responsibilities PM-2, PM-3, PM-9; SP 800-39,SP 800-37

8 Deleted from ISO 27002:2013
9 6.1.1 Information security roles and responsibilities
10 Deleted from ISO 27002:2013
11 6.1.3 Contact with authorities
CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-
2;SP 800-39, SP 800-37
AC-5, AC-6, CM-9, PM-2; SP 800-39, SP
800-37
CA-1, CA-6, PM-10; SP 800-37
Multiple controls with contact reference
(e.g.,IR-6, SI-5), SP 800-39; SP 800-37

12 6.1.4 Contact with special interest groups AT-5, SI-5

13 18.2.1 Independent review of information security CA-2, CA-7; SP 800-39, SP 800-37

Human Resource Security (ISO 7)

14 7.2.2 Information security awareness, education and AT-2, AT-3, IR-2 3.2.1; 3.2.2
training
15 7.2.3 Disciplinary process AT-3, PS-8
16 7.3 Termination and change of employment PS-4
17 7.3.1 Termination or change of employment AC-2, PS-4, PS-5, PE-3
responsibilities
8.1.4 Return of assets
9.2.6 Removal or adjustment of access rights
11.1 Secure areas
11.1.1 Physical security perimeter
 18 11.1.2 Physical entry controls PE-3, PE-4, PE-5, PE-6
11.1.3 Securing offices, room and facilities
Asset Management (ISO 8)
19 8.1.1 Inventory of assets CM-8, CM-9, PM-5 3.4.1

20 8.1.2 Ownership of assets
Access Control (ISO 9)
21 9.1 Business requirements of access control
22 9.1.1 Access control policy
9.2 User access management
23 9.2.1 User registration and deregistration
9.2.2 User access provisioning
9.2.3 Management of privileged access rights
24 9.2.4 Management of secret authentication
information of users
25 9.2.5 Review of user access rights
9.3 User responsibilities
9.3.1 Use of secret authentication information
11.2.8 Unattended user equipment
11.2.9 Clear desk and clear screen policy
13. Communications security
9.1.2 Access to networks and network services
CM-8, CM-9, PM-5, AC-16, AC-20, PL-4, 3.4.1
RA-2, MP-2, MP-3, SC-16
AC-1 3.1
AC-1, AC-3, AC-5, AC-6, AC-7, AC-9, AC- 3.1.1; 3.1.2; 3.1.4; 3.1.5
17, AC-18, AC-19, CM-5, MP-1, SI-9
AC-1, AC-2, AC-6, AC-21, IA-5, PE-1, PE-2, 3.1.1; 3.1.2; 3.1.4; 3.1.5
SI-9
AC-6, IA-5
AC-1, AC-2, AC-5, AC-6, AC-11, AC-17, 3.1.1; 3.1.2; 3.1.4; 3.1.5
AC-18, AC-20, IA-2, IA-5m PE-2 PE-3, PE-
5, PE-18, SC-10, MP-4

26 Deleted from ISO 27002:2013 AC-3, AC-6, AC-17, AC-18, SC-7

27 9.4 System and application access control AC-4, AC-17, AC-18
28 9.4.2 Secure log-on procedures AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, 3.1.8
SC-10
29 9.2.1 User registration and deregistration IA-2, IA-4, IA-5, IA-8
9.2.2 User access provisioning
30 9.1.1 Access control policy AC-5, AC-24 3.1.4; 3.1.5; 3.1.6; 3.1.7; 3.5.3
9.2 User access management
9.2.3 Management of privileged access rights
31 9.4.3 Password management system IA-2, IA-5 3.5.5
32 9.4.2 Secure log-on procedures AC-2, AC-3, AC-6, AC-11, AC-14, CM-5, 3.1.6; 3.1.7; 3.1.8; 3.4.5
9.4.4 Use of privileged utility programs SC-10
33 9.4.1 Information access restriction AC-19, SC-7; SP 800-39
6.2 Mobile devices and teleworking
34 6.2.1 Mobile device policy AC-1, AC-17, AC-18, AC-19, PL-4, PS-6 3.1.12; 3.1.16; 3.1.18
 35 6.2 Mobile devices and teleworking AC-19, AC-24 3.1.18
6.2.1 Mobile device policy
6.2.2 Teleworking
Cryptography (ISO 10)
36 10. Cryptography SC-13 3.1.19
37 10. Cryptography SC-13 3.1.19
38 10.1.1 Policy on the use of cryptographic controls Multiple controls address cryptography 3.13.10
(e.g., IA-7, SC-8, SC-9, SC-12, SC-13)

Physical and Environmental Security (ISO 11)

39 11.1.4 Protecting against external and environmental CP Family; PE-1, PE-2, PE-9, PE-10, PE-11, 3.10.1
threats PE-13,PE-15
40 11.1.5 Working in secure areas AT-2, AT-3 , PL-4, PS-6, PE-1, PE-2, PE-3, 3.10.2
11.1.6 Delivery and loading areas PE-4, PE-6, PE-8, PE-9, PE-11, PE-12, PE-
11.2 Equipment 14, PE-16, PE-18
41 11.2.4 Equipment maintenance MA Family, MP-5, PE-1, PE-3, PE-6 3.10.5
11.2.6 Security of equipment and assets off-premises

42 11.2.7 Secure disposal or re-use of equipment MP-6

43 11.2.5 Removal of assets MP-5 , MP-6, PE-16 3.8.3
12. Operations security
44 12.1.1 Document operating procedures CM-9, PE-19, PE-20 3.8.7
Operations Security (ISO 12)
45 12.1.2 Change management CM-1, CM-3, CM-4, CM-5, CM-9 3.4.1; 3.4.2
46 12.1.2 Change management AC-5 3.4.4
47 6.1.2 Segregation of duties CM-2
48 15.2.1 Monitoring and review of supplier services SA-9

49 12.1.3 Capacity management AU-4, AU-5, CP-2, SA-2, SC-5

50 12.2.1 Controls against malware AC-19, AT-2, PE-20, SA-8, SC-2, SC-3, SC- 3.13.13; 3.14.2
7,SC-14, SC-38, SI-3, SI-7
51 12.2.1 Controls against malware SI-8 3.14.2
52 12.3.1 Information backup CP-9
53 9.1.2 Access to networks and network services PE-2, PE-3, PE-6, PE-7, PE-8, PE-18
54 12.1.4 Separation of development, testing and SC-32
operational environments
13.1.3 Segregation in networks
55 13.1.1 Network controls AU-1, AU-2, AU-3, AU-4, AU-5, AU-6, AU-
7, AU-9, AU-11, AU-12, AU-14, SI-4
 56 8.3.1 Management of removable media PE-16, SI-12, MP Family
8.3.2 Disposal of media
8.2.3 Handling of assets
13.2 Information transfer

57 14.1.2 Securing application services on public AU-10, IA-8, SC-3, SC-7, SC-8, SC-9, SC-3,
networks SC-14
14.1.3 Protecting application services transactions

58 12.4.1 Event logging AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU- 3.3
11, AU-12
59 12.4.2 Protection of log information AU-1, AU-6, AU-7, AU-9, PE-6, PE-8, SC-7, 3.3.3; 3.3.5
SI-4
60 12.4.1 Event logging AU-12 3.3.1; 3.3.2
12.4.3 Administrator and operator logs
61 12.4.1 Event logging AU-8, AU-9, AU-11 3.3.8
12.4.2 Protection of log information
62 12.4.3 Administrator and operator logs AU-2, AU-12 3.3.1; 3.3.2
63 14.2.2 System change control procedures SA-13 3.14.3
12.4.1 Event logging
64 12.4.1 Event logging AU-2, AU-12, SI-2 3.3.1; 3.3.7
12.4.4 Clock synchronization
Communications Security (ISO 13)
65 13.2.4 Confidentiality or nondisclosure agreements PL-4, PS-6, SA-9

66 13.1 Network security management CP-9, CP-10

67 13.1.1 Network controls
13.1.2 Security of network services
68 13.2.1 Information transfer policies and procedures
13.2.2 Agreements on information transfer
13.2.3 Electronic messaging
AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, 3.13.1
PE-5,SC-7, SC-8, SC-9, SC-10, SC-19, SC-
20, SC-21, SC-22, SC-23
Multiple controls; electronic messaging
not addressed separately in SP 800-53.
AC-1, AC-3, AC-4, AC-17, AC-18, AC-20,
CA-3, PL-4, PS-6, SC-7, SC-16, SI-9, CA-3,
SA-9, MP-5

69 13.1.1 Network controls AC-17, AC-18, AC-19, AC-20, CA-3, IA-2,

IA-3, IA-8
70 13.1.3 Segregation in networks AC-3, AC-6, AC-17, AC-18, PE-3, MA-3,
MA-4, SC-4
Systems Acquisition, Development, and Maintenance (ISO 14)
 71 14. System acquisition, development and AC-1, AC-4, AC-17, AC-18, PE-17, PL-4,
maintenance PS-6
72 14.1 Security requirements of information systems

73 14.1.1 Information security requirements analysis and PL-7, PL-8, SA-1, SA-3, SA-4
specification
14.1.2 Securing application services on public
networks

74 Deleted from ISO 27002:2013 SI-10

75 Deleted from ISO 27002:2013 SI-7, SI-9, SI-10
76 Deleted from ISO 27002:2013 AU-10, SC-8, SC-23, SI-7
77 10.1.2 Key management SC-12, SC-17
12.5 Control of operational software
78 12.5.1 Installation of software on operational systems CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, 3.4.8; 3.4.9
12.6.2 Restrictions on software installation CM-10, CM-11, PL-4

79 14.3.1 Protection of test data

80 9.4.5 Access control to program source code AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
81 12.2.1 Secure development policy SC-2, SC-3, SC-4, SC-5, SC-6, SC-7, SC-8,
SC-9, SC-10, SC-11, SC-12, SC-13, SC-14,
SC-17, SC-18, SC-20, SC-21, SC-22, SC-23

82 14.2.2 System change control procedures CM-1, CM-3, CM-4, CM-5, CM-9, SA-10, SI-2
14.2.3 Technical review of applications after operating
platform changes
14.2.4 Restrictions on changes to software packages

83 Deleted from ISO 27002:2013 AC-4, IR-9, PE-19

84 14.2.7 Outsourced development
Supplier Relationships (ISO 15)
85 Deleted from ISO 27002:2013
86 15.1.2 Addressing security within supplier
agreements
87 15.2.1 Monitoring and review of supplier services
15.2.2 Managing changes to supplier services
CM-10, CM-11, SA-1, SA-4, SA-8, SA-9,
SA-11, SA-12, SA-15, SA-17
CA-3, PM-9, RA-3, SA-1, SA-9, SC-7
AU-16, CA-2, CA-3, PS-7, SA-9
RA-3, SA-9, SA-10
 88 15.1.1 Information security policy for supplier AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1,
relationships IA-7, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1,
15.1.2 Addressing security within supplier PS-1, RA-1, RA-2, SA-1, SA-6, SC-1, SC-13,
agreements SI-1

89 15.1.1 Information security policy for supplier AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1,
relationships IA-7, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1,
15.1.2 Addressing security within supplier PS-1, RA-1, RA-2, SA-1, SA-6, SC-1, SC-13,
agreements SI-1

90 15.1.1 Information security policy for supplier AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1,
relationships IA-7, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1,
15.1.2 Addressing security within supplier PS-1, RA-1, RA-2, SA-1, SA-6, SC-1, SC-13,
agreements SI-1

Information Security Incident Management (ISO 16)

91 16.1.4 Assessment of and decision on information RA-3, RA-5, SI-2, SI-5 3.6.1; 3.14.3
security events
92 16.1 Management of information security incidents AU-6, IR-1, IR-4, IR-6, SI-2, SI-4, SI-5 PL-4
and improvements
16.1.1 Responsibilities and procedures
16.1.2 Reporting information security events
16.1.3 Reporting information security weaknesses
16.1.6 Learning from information security incidents

Information Security Aspects of Business Continuity Management (ISO 17)

93 17. Information security aspects of business AU-7, AU-9, IR-4
continuity management
Compliance (ISO 18)
94 18.1 Compliance with legal and contractual CP-1, CP-2, CP-4, PM-9, RA Family
requirements
95 18.1.3 Protection of records AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-
12
96 18.1.4 Privacy and protection of personally Appendix J; SI-12
identifiable information
97 Deleted from ISO 27002:2013 AC-8, AU-6, CM-11, PL-4, PS-6, PS-8
98 18.1.5 Regulation of cryptographic controls IA-7, SC-13
99 18.2.2 Compliance with security policies and AC-2, CA-2, CA-7, IA-7, PE-8, SI-12
standards
100 18.2.3 Technical compliance review CA-2, CA-7, RA-5
101 12.7.1 Information systems audit controls AU-1, AU-2, AU-9 3.3.1; 3.3.2
NIST Cybersecurity Framework CIS 20 Critical Security Controls (ver 6.1)

ID.RM-1

ID.RM-1

ID.RM-1, ID.GV-4

ID.GV-1
ID.GV-1

ID.GV-1

ID.AM-6; ID.GV-2

ID.AM-6
DE.DP-4, RS.CO-3, RS.CO-5

RS.CO-5

PR.AT-1 CSC 17

PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5 CSC 17

PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-6
PR.AC-4, PR.DS-3 CSC 16
PR.AC-4, PR.DS-3 CSC 16

ID.AM-1, ID.AM-2 CSC 1 (devices), CSC 2 (software), CSC13

(data)
ID.AM-5 CSC 13

PR.AC-1, PR.AC-4
PR.AC-1, PR.AC-4 CSC 5, CSC 16

PR.AC-1, PR.AC-4 CSC 5

PR.AC-4 CSC 5

PR.AC-3 CSC 3

PR.DS-5
PR.DS-6 CSC 5, CSC 16
CSC 16

PR.AC-1, PR.AC-4 CSC 5

CSC 5

CSC 16
CSC 13

CSC 14
PR.AC-3

PR.DS-2 CSC 14
PR.DS-1, PR.DS-2, CSC 14
PR.DS-6

PR.PT-3, PR.AC-2

PR.IP-5, PR.DS-4

PR.IP-5, PR.PT-3

PR.MA-1
PR.IP-6

PR.DS-3, PR.DS-5

PR.IP-1 CSC 3
PR.IP-2, PR.IP-3
PR.AC-4
PR.DS-8

DE.AE-1, PR.DS-4
DE.CM-4, RS.MI-1, RS.MI-2 CSC 4, CSC 8

DE.CM-4, RS.MI-1, RS.MI-2 CSC 7, CSC 8

PR.IP-4 CSC 10
CSC 11
PR.AC-5 CSC 9, CSC 12, CSC 14

CSC 11
PR.PT-2, PR.IP-6 CSC 13

PR.PT-1 CSC 4, CSC 6

PR.PT-1 CSC 4, CSC 6

PR.PT-1 CSC 4, CSC 6

PR.PT-1 CSC 4, CSC 6

PR.PT-1 CSC 4, CSC 6

PR.DS-7 CSC 3

CSC 6

PR.IP-11

PR.IP-4 CSC 10
DE.CM-1 CSC 15

PR.DS-1, PR.DS-2, PR.DS-5, PR.IP-6 CSC 14

CSC 12

DE.CM-7 CSC 15
ID.AM-4 CSC 3

CSC 3

PR.IP-12 CSC 18

PR.DS-7

CSC 18

PR.DS-8

CSC 18
PR.IP-3
PR.IP-3

PR.DS-5

ID.AM-6
PR.IP-12 CSC 4

ID.AM-4

ID.AM-4
ID.AM-4

ID.AM-4

ID.AM-4

RS.RP-1, RS.CO-1, RS.CO-2, RS.CO-3, CSC 19

RS.CO-4
ID.GV-3, RS.AN-3 CSC 19

PR.IP-9 CSC 10

ID.GV-2

ID.GV-3

PR.IP-12, DE.CM-8

PR.IP-7
Description Value
Not Performed 0
Performed Informally 1
Planned 2
Well Defined 3
Quantitatively Controlled 4
Continuously Improving 5
Not Applicable