Giters

jfalken / org_security_baseline

A simple spreadsheet to assist in establishing an initial scoped security maturity score (per ISO 27002)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Organizational Security Base

This spreadsheet can be used to quickly perform a self-assessment of the maturity of controls around a particular scoped domain.

After assessing your security controls maturity, you can use this information to help triage whats important to focus on, based on your company's needs.

By 'scoped domain', we refer to scope as defined in an ISMS. For example, you could scope this questionnaire to apply to a particular product's development lifecycle, and then proceed to answer the questions with that scope in mind.

The process of self-assessing should be regular (once a quarter, for example). Any changes in maturity (up or down), should be documented and used to help drive security program control decisions.

Please note; it would be normal to have several of these spreadsheets, each with a different scope. A scope of 'whole company' should be considered too broad and will be difficult to assess accurately.

How to Use

First, download the spreadsheet here, or from the releases section.

Instructions are on the first page of the excel spreadsheet.

  1. Determine the Scope you want to assess
  2. Review the 'Maturity Metric' tab to make sure you understand how to score
  3. On the 'Questionnaire' tab, review each question and rate your scoped domain. Interviewing subject matter experts is probably a good thing to do while doing this.

A Summary of all results / ratings is provided on the 'Summary' tab.

Completeness

This spreadsheet is in no way exhaustive; it was creating by reviewing the security controls domains identified in ISO 27002:2013 and developing a very small subset of questions that apply to each domain. Feel free to customize the questions, or add more.

For more details, see BSI Group

ToDos

  • Recreate this document in a non-proprietary spreadsheet format
  • Expand / Update content

Contributing

Please create a PR for suggested changes, complete with an updated excel spreadsheet. Since the spreadsheet is binary diff's wont really work; so be verbose about what you changed and why.

License

Copyright 2015 Chris Sandulow

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

A simple spreadsheet to assist in establishing an initial scoped security maturity score (per ISO 27002)