Q1 Does a formally documented cyber security strategy exist and who is it approved by within the organisation?
A A formally documented cyber security strategy that defines a short-, medium-, and long-term target maturity state is approved at board/senior executive level. The strategy is reviewed annually or more frequently as appropriate in response to changes to business objectives, organisational structures, and any external factors. B A formally documented cyber security strategy is approved at board/senior executive level. The strategy is risk-based and considers business objectives. The strategy is reviewed once annually. C A formally documented cyber security strategy is approved by an operational or technology lead. The strategy does not consider business objectives. It is reviewed at ad hoc intervals. D There is no formally documented cyber security strategy.
Q2 Does a formally documented framework (including policies, standards, and delivery programme) exist to maintain your security posture and to deliver the cyber security strategy?
A A formally documented cyber security framework is approved at board/senior executive level and is reviewed at least annually. The framework covers business/internal and external requirements (e.g., legal, regulatory). Either the independent risk or audit function confirm the framework aligns to industry standards. B A formally documented cyber security framework is approved by a senior executive and reviewed at set intervals, but not in the last 12 months. The framework considers internal and external requirements. The framework aligns to industry standards, but this has not been independently confirmed. C A formally documented cyber security framework is approved by an operational or technology lead, and is reviewed on an ad-hoc/infrequent basis. The framework may or may not align to industry standards. D There is no formally documented cyber security framework to deliver the cyber strategy.
Q3 Has a senior executive been appointed who is accountable for the oversight and delivery of cyber security within the organisation?
A A senior executive (e.g., COO, CIO) has been appointed who is accountable for the oversight and delivery of cyber security and the assignment of associated roles and responsibilities. This is either their dedicated role or a significant proportion of their role. B A senior executive has been appointed who is accountable for the oversight and delivery of cyber security and the assignment of associated roles and responsibilities. This is either not their dedicated role or not a significant proportion of their role. C Someone (not a senior executive) within the organisation has been appointed and is accountable for the oversight and delivery of cyber security and the assignment of associated roles and responsibilities. There are plans to appoint a senior executive in the future. D No-one has been appointed to be accountable for the oversight and delivery of cyber security.
Q4 What level of cyber security knowledge and skills exists at the senior executive level?
A The board and/or all senior executives have sufficient understanding to provide effective oversight of the firm's cyber security strategy and cyber risk management. At least one senior executive has specialist knowledge and skills which the other executives can draw on. B A number of board members/senior executives have sufficient understanding to provide effective oversight of the firm's cyber security strategy and cyber risk management. Training is scheduled to develop other senior executives' capabilities in the next 12 months. C The board/senior executives are currently dependent on external knowledge and skills to provide effective oversight of the firm's cyber security strategy and cyber risk management. There is a plan to address this in the next 12 months. D No senior executives currently have the relevant knowledge and skills to provide effective oversight of the firm's cyber security strategy and cyber risk management. There are no plans in place to address this.
Q5 Are risks to cyber security managed effectively?
A Cyber risks are individually identified together with their risk appetite statements. These risks and appetite statements are monitored, assessed, and prioritised to reflect the current threat landscape and the effectiveness of the internal control environment. Cyber risks and their associated risk appetite statements integrate into the enterprise risk management framework. B Cyber risks are individually identified, monitored, and prioritised against an overall high-level organisational cyber risk appetite and are reviewed at set intervals. Cyber risks are translated within the enterprise risk framework. C Cyber risks are primarily identified and managed locally. Risks are re-assessed on an ad-hoc or infrequent basis. There is limited visibility at an organisational level, with ad-hoc integration into the broader enterprise risk management process. D There is little to no formalised structure or process to manage cyber risk.
Q6 To what extent are cyber and related skills held across the security, risk, and audit functions?
A Cyber and related skills are held (or can be accessed on-demand) by the security function, the independent risk function, and the audit function to deliver the cyber strategy and framework, assess residual cyber risks, and assure the control environment. Any further recruitment and/or training activities are informed by the evolving cyber/IT landscape and organisational needs. B Cyber and related skills gaps have been identified in either the independent risk function or the audit function. Recruitment and training activities are being driven by the identified skills gaps and the cyber landscape. C Cyber and related skills gaps have been identified in both independent risk function and the audit function, or in the security function. Recruitment and training activities are driven by the need to resolve skills gaps. D There are significant cyber and/or related skills gaps across the security function, the independent risk function, and the audit function.
Q7 Has the effectiveness of cyber controls been independently assessed against the control objective?
A The effectiveness of cyber security controls has been independently assessed by a party with the competent level of skill and forms part of an established annual process, including senior executive review. B The effectiveness of cyber security controls has been independently assessed by a party with the competent level of skill and signed-off in the last 18 months, but is not part of an ongoing process. C The effectiveness of cyber security controls has not yet been independently assessed by a party with the competent level of skill, but an assessment is scheduled within the next six months. D The effectiveness of cyber security controls has not been independently assessed by a party with the competent level of skill and there is no plan to do so.
Q8 To what extent is management information (MI), including Key Risk Indicators (KRIs), used to inform decision makers on the residual risk levels against risk appetite for cyber defined risks?
A Senior executives review cyber MI at least quarterly on a range of cyber security measures, including the performance of the security function as a whole. This MI is used to support the discussion of cyber and relevant decision-making. B At least one senior executive reviews MI at least quarterly on cyber security measures, including the performance of the security function as a whole. This MI is used to support the discussion of cyber and relevant decision-making. C Non-executives, such as technology or operational leads, review MI on cyber security measures. This MI is used to support relevant decision-making. D MI on cyber security measures are not regularly reviewed.
Progress saves automatically — you can come back later.