21RISK - NIS2

1 Introduction

2 Governance and security management

2.1 Does your organization have a dedicated and defined security manager? ^*

Yes, full time position.

Yes, part time position.

No.

2.2 Does your organization have an information security policy? ^*

Yes, and review of the policy is part of ongoing employee awareness training.

Yes, but it’s not fully part of ongoing employee awareness training.

My organization doesn’t have a well defined information security policy.

2.3 Does your organization conduct dedicated security committee meetings? ^*

2.4 Does management review information security program? ^*

Yes.

No.

2.5 Does your organization conduct ongoing risk assessments for its various functions? ^*

Yes, for the whole organization.

Yes, only for selected functions and topics.

No, we don’t conduct risk assessments.

2.6 Does your organization have a well defined risk register? ^*

Yes.

No.

3 Business continuity, disaster recovery and incident response.

3.1 Does your organization have a written business continuity plan? ^*

Yes.

No.

3.2 How many times per year do you conduct business continuity drills? ^*

3.3 Does your organization have an incident response/crisis management playbook? ^*

Yes, and it’s part of ongoing training.

Yes, but it’s not part of ongoing training.

No, my organization doesn’t have such a playbook.

3.4 Is a contacts list for external parties defined? ^*

Yes.

No.

4 Human resources and operational security

4.1 Are employees screened and given security responsibilities? ^*

Yes, fully implemented.

Yes, partial.

No.

4.2 Is an asset inventory list maintained? ^*

Yes, fully implemented and updated.

Yes, partial.

No.

4.3 Is emergency communication backup available? ^*

Yes, and fully tested.

Yes, but not tested.

No.

4.4 Are secure communication systems used? ^*

Yes.

Yes, partial.

No.

5 Vulnerability management, testing and central logging/auditing.

5.1 Does your organization have a vulnerability management program? ^*

Yes, we update software and apply security patches in an ongoing and automated manner.

Yes, we update software and apply security patches via a manual process.

No, my organization doesn’t have such a program.

5.2 Does your organization conduct network and host vulnerability scanning? ^*

Yes, we conduct scanning in an ongoing manner.

Yes, we conduct scanning twice a year.

No, we don’t conduct such scanning.

5.3 Does your organization conduct internal and external penetration tests? ^*

5.4 Does your organization have a public bug bounty program? ^*

Yes, we have a public bug bounty program.

No, we don’t have a public bug bounty program.

5.5 Are vulnerabilities managed centrally? ^*

Yes.

Yes, partial.

No.

NIS2

Details