Final

Confidential

Standard Framework Security Mana

STEP

PREPARATION

1a

1b

1c

2
2a

ANALYSIS

2b

272398322.xlsx

Confidential

ANALYSIS

Final

REPORTING

3a

3b

272398322.xlsx

Final

Confidential

Standard Framework Security Management

ACTION

Before Starting to Use the Tool

Make sure that the 'Analysis Toolpak' and 'Analysis Toolpak VBA Excel' add-ins are installed for
proper functioning of the spreadsheet. This can be verified by navigating in Excel to the Tools button
and selecting 'Add-Ins' as an option. An error message will appear if this is not carried out properly.

Macro security level needs to be defined as 'Medium' or 'Low' so that Excel will allow the use of
macros. To do this, the Tools button should be selected. The 'Macro' option will provide a drop-down
box. Here 'Security' should be selected and change the security level to 'Medium' or 'Low'.

Close the tool and save the changes; while starting up the Tool, the user will be prompted with the
Security Warning regarding the use of macros. Click the 'Enable Macros' button to ensure the
proper use of macros within the Assessment Tool.

Perform the Self assessment

Fill in the sheet General information.
Fill in the Maturity Assessment for the items (see the green sheets like Strategy&Policies) in
scope.
Start from the Assessment summary sheet and click on the items to be assessed to navigate to
its detailed Maturity Assessment sheet.
Some advice on the assessment components:
For every operational maturity level (0 to 5 or 'not applicable'):
- The CMM statements are split into single sentences.
- Every control has ' Points to consider' which provide guidance for the scoring. These points to
consider can be found in a seperate document.
- The user has to indicate to what degree he/she agrees with each statement about the specific
control, using the following six scales:

272398322.xlsx

Final

Confidential

The maturity levels are:

0 Control is: Non-existent - No documentation. There is no awareness or attention for certain
control.
1 Control is: Initial/ad hoc - Control is (partly) defined, but performed in an inconsistent way.
The way of execution is depending on individuals.
2 Control is: Repeatable but intuitive - Control is in place and executed in a structured and
consistent, but informal way.
3 Control is: Defined - Control is documented, exdecuted in a structured and formalized way.
Execution of the control can be proved.
4 Control is: Managed and measurable - The effectiveness of the control is periodically
assessed and improved when necessary. This assessment is documented.
5 Control is: Optimised - An enterprisewide risk and control programme provides continuous and
effective control and risk issues resolution.
Control is: Not applicable - Control is for this organisation not applicable.
When compensating controls exist for a specific control, apply the score of this compensation
control to this specific control and put a remark in the comments field.
GO TO Assessment summary Page

Review the Assessment Results

Review the General information sheet and Assessment summary sheet where results of the
maturity assessments are summarised.
GO TO General information Page
GO TO Assessment summary Page

Review the graphic representations on the Graphical overview sheet. The different graphs provide
an overview of the scores per domain and at control level plus the spread of the scores per domain.

GO TO the Current Operational Maturity Charts

272398322.xlsx

Final

Confidential

agement

dd-ins are installed for

in Excel to the Tools button
is not carried out properly.

cel will allow the use of

on will provide a drop-down
'Medium' or 'Low'.

will be prompted with the

button to ensure the

Strategy&Policies) in

be assessed to navigate to

e scoring. These points to

ment about the specific

272398322.xlsx

Final

Confidential

s or attention for certain

ed in an inconsistent way.

uted in a structured and

red and formalized way.

ntrol is periodically
d.
me provides continuous and

able.

of this compensation

heet where results of the

The different graphs provide

d of the scores per domain.

272398322.xlsx

General information

Confidential

Final
Main Menu

GENERAL INFORMATION
Identification
Company name:
Industry:
Date of finalizing assessment:

<name>
<Bank, Verzekeraar, Pensioenfonds>
dd-mm-yyyy

Assessment approved by:

<name>

Assessment filled in by:

Function:

<name>
<function>

Numbers
1
2
3
4

Budget of Information Security Department in the

previous year.
% audit capacity in the previous year spent on IT audit
compared to total audit capacity
Average period in months for outstanding positions in the
Information Security Department.
Total number of FTEs in the Information Security
Department & number of vacant positions in the
Information Security Department.
% of production systems patched for critical
vulnerabilities within 2, 5, 30 and 60 days after patch
availability.

272398322.xlsx

0 in K Euro
0%
0 month
total

vacant
positions

0
< 2 days

0
< 5 days

< 30 days

< 60 days

Assessment summary

Confidential

Final

Maturity Assessment Overview

Main Menu

CLICK on the domain name to navigate to the its

detailed Maturity Assessment-sheet:

Domain Standard and control measures

Strategy & Policies:

1
1.1
1.2
2
2.1
2.2
3
3.1
3.2
4
4.1
4.2
4.3

Provide management direction and support for information security in accordance with
Define an information security plan
Information security plan
IT policies management
Define the information architecture
Enterprise Information architecture model
Data classification scheme
Determine technological direction
Monitor future trends and regulations
Technology standards
Assess and manage (IT) risks
IT risk management framework
Risk assessment
Maintenance and monitoring of a risk action plan

Organization: Manage information security within the organization through a embedded and structure and s
5
Information security organization
5.1
Responsibility for risk, security and compliance
5.2
Management of information security
6
Data and system ownership
6.1
Data and system ownership
7
Manage segregation of duties
7.1
Segregation of duties

People: Ensure that all employees, contractors and third party users are aware of information security threa
8
Manage IT human resources
8.1
Personnel recruitment and retention
8.2
Personnel competences
8.3
Dependence upon individuals
8.4
Personnel clearance procedures
8.5
Job change and termination
9
Ensure operations and use
9.1
Knowledge transfer to end users
9.2
Knowledge transfer to operations and support staff

Processes: Ensure that system and infrastructure development, maintenance and access is performed in a s
10
Change Management
10.1
Change standards and procedures

272398322.xlsx

Assessment summary

10.2
10.3
10.4
10.5
11
11.1
11.2
11.3
11.4
12
12.1
12.2
12.3
13
13.1
13.2
14
14.1
14.2
15
15.1
15.2
16
16.1
16.2
16.3
16.4
16.5
17
17.1
17.2

Technology: Ensure
18
18.1
18.2
18.3
18.4
18.5
19
19.1
20
20.1

Confidential

Final

Impact assessment, prioritisation and authorisation

Test environment
Testing of changes
Promotion to production
Continuity Management
IT continuity plans
Testing of the IT continuity plan
Offsite backup storage
Backup and restoration
Manage data
Storage and retention arrangements
Disposal
Security requirements for data management
Configuration Management
Configuration repository and baseline
Identification and maintenance of configuration items
Manage third party and supplier services
Monitoring and reporting of SLA's
Supplier risk management
Incident Management
Security incident definition
Incident escalation
Monitoring
Security testing, surveillance and monitoring
Monitoring of internal control framework
Internal control of third parties
Evaluation of compliance with external requirements
Independent assurance
User account management
Identity management
User account management

the protection of information in networks, the protection of the supporting infrastructur

Secure infrastructure
Infrastructure resource protection and availability
Infrastructure maintenance
Cryptographic key management
Network security
Exchange of sensitive data
Manage malware attacks
Malicious software prevention, detection and correction
Protect infrastructure components
Protection of security technology

Facilities: Prevent loss, damage, theft or compromise of organizations premises and information and interru
21
Physical security
21.1
Physical security measures
21.2
Physical access

272398322.xlsx

Assessment summary

Confidential

Maturity Assessment Results

Operational
maturity level
Assessment
Status

Assessment
Current

Open
Open

5.0
5.0

Open
Open

5.0
5.0

Open
Open

5.0
5.0

Open
Open
Open

5.0
5.0
5.0

Open
Open

5.0
5.0

Open

5.0

Open

5.0

Open
Open
Open
Open
Open

5.0
5.0
5.0
5.0
5.0

Open
Open

5.0
5.0

Open

5.0

272398322.xlsx

Final

Assessment summary

Confidential

Open
Open
Open
Open

5.0
5.0
5.0
5.0

Open
Open
Open
Open

5.0
5.0
5.0
5.0

Open
Open
Open

5.0
5.0
5.0

Open
Open

5.0
5.0

Open
Open

5.0
5.0

Open
Open

5.0
5.0

Open
Open
Open
Open
Open

5.0
5.0
5.0
5.0
5.0

Open
Open

5.0
5.0

Open
Open
Open
Open
Open

5.0
5.0
5.0
5.0
5.0

Open

5.0

Open

5.0

Open
Open

5.0
5.0

272398322.xlsx

Final

2.0

1.0

0.0

4.0

3.0

Responsibility for risk,

Management of information
Processes
Technology

Strategy & Policies

Data and system ownership

M a i n t e n a n c e a n d m o n i t o r in g o f a r is k a c t io n p la n

Confidential

R is k a s s e s s m e n t

IT r i s k m a n a g e m e n t fr a m e w o r k

People

T e c h n o lo g y s t a n d a r d s

Organization

M o n it o r fu t u r e t r e n d s a n d r e g u l a t i o n s

D a t a c la s s i fi c a t io n s c h e m e

Strategy & Policies

E n t e r p r i s e In fo r m a t io n a r c h i t e c t u r e m o d e l

IT p o li c i e s m a n a g e m e n t

In fo r m a t i o n s e c u r it y p l a n

Graphical overview
Final

Security Management - Spread of operational maturity level

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%
Fa

4.0

3.0

2.0

1.0

272398322.xlsx

0.0

Segregation of duties

3.0
Graphical overview
2.0

Confidential

Final

1.0

0.0
Responsibility for risk,
security and compliance

Management of information Data and system ownership

security
Organization

Segregation of duties

4.0
3.0
2.0
1.0
0.0
Personnel
recruitment and
retention

Personnel
competences

Dependence
upon individuals

Personnel
clearance
procedures
People

272398322.xlsx

Job change and Knowledge

termination
transfer to end
users

Knowledge
transfer to
operations
support sta

2.0

1.0

0.0

Infrastructure
resource
protection and
availability

Infrastructure
maintenance

Cryptographic
key
management

272398322.xlsx

Network
security

Technology

Exchange of
sensitive data

Malicious
software
prevention,
detection and
correction

Id e n ti ty m a n a g e m e n t

Confidential

E va l u a ti o n o f c o m p l ia n c e w i th e xte r n a l r e q u ir e m e n ts

M o n ito r i n g o f i n te r n a l c o n tr o l fr a m e w o r k

In c id e n t e s c a la ti o n

S u p p lie r ris k m a n a g e m e n t

Id e n ti fi c a ti o n a n d m a i n te n a n c e o f c o n fig u r a tio n ite m s

S e c u r ity r e q u ir e m e n ts fo r d a ta m a n a g e m e n t

S to r a g e a n d r e te n ti o n a r r a n g e m e n ts

O ffs i te b a c k u p s to r a g e

IT c o n tin u i ty p la n s

Te s tin g o f c h a n g e s

Im p a c t a s s e s s m e n t, p r i o r i ti s a ti o n a n d a u th o r i s a ti o n

Graphical overview
Final

4.0

3.0

Proces s es

4.0

3.0

2.0

1.0

0.0

Protection
security
technolog

Graphical overview

Confidential

Final

4.0
3.0
2.0
1.0
0.0
Physical security measures

Physical access
Facilities

272398322.xlsx

Graphical overview

Confidential

% controls ML = 4
% controls ML = 3
% controls ML = 2
% controls ML <= 1

Facilities

M a i n t e n a n c e a n d m o n i t o r in g o f a r is k a c t io n p la n

R is k a s s e s s m e n t

Technology

Current level
Minim um required level

Current level
Minimum required level

272398322.xlsx
Segregation of duties

Final

Graphical overview

Confidential

Current level
Minimum required level

Segregation of duties

nowledge
ansfer to end
ers

Current level
Minimum required level

Knowledge
transfer to
operations and
support staff

272398322.xlsx

Final

Graphical overview

Confidential

alicious
oftware
revention,
etection and
orrection

Minim um required level

Id e n ti ty m a n a g e m e n t

E va l u a ti o n o f c o m p l ia n c e w i th e xte r n a l r e q u ir e m e n ts

M o n ito r i n g o f i n te r n a l c o n tr o l fr a m e w o r k

Current level

Current level
Minimum required level

Protection of
security
technology

272398322.xlsx

Final

Graphical overview

Confidential

Current level
Minimum required level

al access

272398322.xlsx

Final

Strategy&Policies

SP

Provide management direction and support for information security

in accordance with business requirements, risks and relevant laws
and regulations.

1.1

Standard / Control measure

CobiT 4.1

CobiT 5.0

ISO
27002

Define an information security plan: Provide direction and support for information security in accordance with business, risks
and compliance requirements with involvement of Business and IT so priorities can be mutually agreed.

Operational maturity level is .

Instructions: An 'x' is used to indicate which level is applicable. Please,
avoid two x in one row.

Information Security plan: Business, risk and compliance

DS5.2
requirements are translated into an overall IT security plan, taking
into consideration the IT infrastructure and the security culture. The
plan is implemented in security policies and procedures together
with appropriate investments in services, personnel, software and
hardware. Security policies and procedures are communicated to
stakeholders and users.

APO13.02 Define and manage an 5.1.1 5.1.2

information security risk
6.1.2 6.1.5
treatment plan
8.2.2
11.1.1
11.7.1
11.7.2

IT Policies Management: Develop and maintain a set of policies to PO6.3

support Information security strategy. These policies should include
policy intent; roles and responsibilities; exception process;
compliance approach; and references to procedures, standards and
guidelines for development, acquisition, maintenance and support.
Their relevance should be confirmed and approved regularly.

APO01.03 Maintain the enablers 5.1.1

of the management system
5.1.2
6.1.1
APO01.08 Maintain compliance
8.1.1
with policies and procedures

Ref.

Used sources

No.

Comments

1.1

Open

1.2

1.2

Open
2

2.1

Define the information architecture: Ensure reliable, secured and reliable information to support business processes and to
seamlessly integrate applications into business processes.
Enterprise Information Architecture Model: Establish and
PO2.1
maintain an enterprise information model to enable applications
development and decision-supporting activities, consistent with IT
plans. The model should facilitate the optimal creation, use and
sharing of information by the business in a way that maintains
integrity and is flexible, functional, cost-effective, timely, secure and
resilient to failure.

APO03.02 Define reference

architecture

Data classification scheme: Establish a classification scheme that PO2.3

applies throughout the enterprise, based on the criticality and
sensitivity (e.g., public, confidential, top secret) of enterprise data.
This scheme should include details about data ownership; definition
of appropriate security levels and protection controls; and a brief
description of data retention and destruction requirements, criticality
and sensitivity. It should be used as the basis for applying controls
such as access controls, archiving or encryption.

APO03.02 Define reference

architecture

None

2
x

2.1

Open

2.2

7.2.1
10.8.1
10.8.2
10.7.1
11.1.1

2.2

Open
3

Determine technological direction: Provide stable, effective and secure technological solutions enterprise wide to enable
timely response to business requirements and changes in law and regulations, industry and technology developments.
EDM01.01 Enterprise governance 6.1.1
guiding principles

3.1

Monitor future trends and regulations: A process is established PO3.3

to monitor the business sector, industry, technology, infrastructure,
legal and regulatory environment trends. The consequences of these
trends are incorporated into the development of the IT technology
infrastructure plan.

APO03.05 Provide enterprise

architecture services

3.2

Technology standards: Consistent, effective and secure

PO3.4
technological solutions are provided enterprise wide, a technology
forum is established to provide technology guidelines, advice on
infrastructure products and guidance on the selection of technology,
and compliance with these standards and guidelines is measured.
This forum directs technology standards and practices based on their
business relevance, risks and compliance with external
requirements.

3
x

APO04.03 Monitor and scan the

technology environment

3.1

Open
10.3.2
10.8.2
11.7.2

3.2

Open

272398322.xlsx

Strategy & Policies

Assessment
status

Operational
maturity level

Not applicable

5 - Optimised

4 - Managed and
measurable

3 - Defined

Back to Assessment Overview

0 - Non-existent

No

Final

Open

Strategy & Policies

2 - Repeatable but
intuitive

SP

1 - Initial/ad hoc

Domain

Confidential

Strategy&Policies

Domain

Confidential

SP

Open

Strategy & Policies

SP

Assess and manage (IT) risks: Ensure that information security risks are discovered, prioritized and are accepted in a timely
and structured manner aligned with the enterprises appetite for IT risk and the organisation's risk management framework.
IT Risk Management framework: An IT risk management
framework is established and aligned to the organisations
(enterprise) risk management framework.

PO9.1

4.1

4.2

Final

Risk assessment: The likelihood and impact of all identified risks

PO9.4
are assessed on a recurrent basis, using qualitative and quantitative
methods. The likelihood and impact associated with inherent and
residual risk are determined individually, by category and on a
portfolio basis.

EDM03.02 Direct Risk

Management

4
x

4.2
APO01.03 Maintain the enablers 5.1.1
6.2.2
fo the management system
7.1.3
8.2.2
8.3.2
9.1.5
9.2.7
10.8.1
10.7.3
10.9.3
11.1.1
11.3.1
11.3.2
11.3.3
11.7.1
11.7.2
12.3.1
14.1.1
14.1.2
15.1.5
15.2.1
APO12.02 Analyse risk
4.1
5.1.2
APO12.04 Articulate risk
14.1.2

4.1

Open
x
5

4.2
Open

4.3

Maintenance and monitoring of a risk action plan: The control PO9.6

activities are prioritised and planned at all levels to implement the
risk responses identified as necessary, including identification of
costs, benefits and responsibility for execution. Approval is obtained
for recommended actions and acceptance of any residual risks, and
ensured that committed actions are owned by the affected process
owner(s). Execution is monitored of the plans, and any deviations
are reported to senior management.

APO12.04 Articulate risk

None

APO12.05 Define a risk

management action portfolio
5

4.3

Open

272398322.xlsx

Strategy & Policies

Organization

Manage information security within the organization through an

embedded and structure and set of roles and responsibilities.

5.1

Standard / Control measure

CobiT
4.1

Cobit 5.0

ISO
27002

Information Security Organization: Information Security is managed at the highest appropriate organizational level, so
the management of security actions is in line with business, risk and compliance requirements.
Responsibility for risk, security and compliance: Ownership and PO4.8
responsibility are embedded for IT-related risks within the business
at an appropriate senior level. Roles critical for managing IT risks are
defined and assigned, including the specific responsibility for
information security, physical security and compliance. Risk and
security management responsibility are established at the enterprise
level to deal with organisation wide issues. Additional security
management responsibilities may be assigned at a system-specific
level to deal with related security issues. From senior management
is direction obtained on the appetite for IT risk and approval of any
residual IT risks.

N/A

6.1.1
6.1.2
6.1.3
8.1.1
8.2.1
8.2.3
15.1.1
15.1.2
15.1.3
15.1.4
15.1.6
15.2.1

Management of Information Security: Information security is

managed at the highest appropriate organisational level, so the
management of security actions is in line with business
requirements.

APO13.01 Establish and maintain 6.1.1

an ISMS
6.1.2 6.2.3
8.2.2
APO13.03 Monitor and review
the ISMS

Ref.

Used sources

Operational maturity level is .

Instructions: An 'x' is used to indicate which level is applicable. Please,
avoid two x in one row.

No.

Comments

5.1

Open

5.2

DS5.1

x
5

5.2
Open

6.1

Data and system ownership: Data and system ownership is established to provide accountability and ensure that data
integrity, confidentiality and availability are in line with business and compliance requirements.
Data and system ownership: The business is provided with
PO4.9
procedures and tools, enabling it to address its responsibilities for
ownership of data and information systems. Owners make decisions
about classifying information and systems and are protecting them
in line with this classification.

APO01.06 Define information

(data) and system ownership

6.1.3
6.1.4
7.1.2
9.2.5

6
x
5

6.1
Open

7.1

Manage segregation of duties: A division of roles and responsibilities is implemented that reduces the possibility for a
single individual to compromise a critical process.
Segregation of duties: A division of roles and responsibilities is
implemented that reduces the possibility for a single individual to
compromise a critical process. Personnel are performing only
authorised duties relevant to their respective jobs and positions.

PO4.11

APO01.02 Establish roles and

responsibilities

8.2.1
10.1.3
10.1.4

7
x

7.1

Open

272398322.xlsx

Organization

Assessment
status

Operational
maturity level

Not applicable

3 - Defined

2 - Repeatable but
intuitive

1 - Initial/ad hoc

Back to Assessment Overview

0 - Non-existent

No

Final

Open

Organization

5 - Optimised

4 - Managed and
measurable

Domain

Confidential

People

Confidential

Open

People

8.1

Standard / Control measure

Cobit 5.0

ISO
27002

Manage IT human resources: Ensure that functions are staffed properly with reliable people who posses the necessary
skills to fulfil their role to reduce the risk of human error.

Operational maturity level is .

Instructions: An 'x' is used to indicate which level is applicable. Please,
avoid two x in one row.

Personnel recruitment and retention: IT personnel recruitment PO7.1

processes are maintained in line with the overall organisations
personnel policies and procedures (e.g., hiring, positive work
environment, orienting). Processes are implemented to ensure that
the organisation has an appropriately deployed IT workforce with the
skills necessary to achieve organisational goals.

APO07.01 Maintain adequate and 8.1.1

appropriate staffing
8.1.2
8.1.3
APO07.05 Plan and track the
usage of IT and business human
resources

Personnel competencies: Regularly is verified that personnel have PO7.2

the competencies to fulfil their roles on the basis of their education,
training and/or experience. Core IT competency requirements are
defined and verified that they are being maintained, using
qualification and certification programmes where appropriate.

APO07.03 Maintain the skills and 8.2.2

competencies of personnel

Dependence upon individuals: Exposure to critical dependency on PO7.5

key individuals through knowledge capture (documentation),
knowledge sharing, succession planning and staff backup is
minimized.

APO07.02 Identify key IT

personnel.

Personnel clearance procedures: Background checks are included PO7.6

in the IT recruitment process. The extent and frequency of periodic
reviews of these checks are dependant on the sensitivity and/or
criticality of the function and are applied for employees, contractors
and vendors.

APO07.01 Maintain adequate and 8.1.2

appropriate staffing.

Job change and termination: Expedient actions are taken

PO7.8
regarding job changes, especially job terminations. Knowledge
transfer is arranged, responsibilities are reassigned and access rights
are removed such that risks are minimised and continuity of the
function is guaranteed.

APO07.01 Maintain adequate and 8.2.3

appropriate staffing.
8.3.1
8.3.2
8.3.3

Ref.

Used sources

No.

Comments

8.1

Open

8.2

8.2
Open

8.3

None

x
5

8.3
Open

8.4

APO07.06 Manage contract staff.

8.4

Open

8.5

8.5

Open
9

Ensure operations and use: Ensure that people has the knowledge and skills to allow effective and efficient operations of
new or adjusted technology / application functions in line with the security policies and procedures.
Knowledge transfer to end users: Transfer knowledge and skills
to allow end users to effectively and efficiently use the system in
support of business processes.

AI4.3

BAI08.01 Nurture and facilitate a 8.2.2

knowledge-sharing culture.

9
x

BAI08.02 Identify and classify

sources of information
BAI08.03 Organise and
contextualise information into
knowlegde

9.1

9.1

BAI08.04 Use and share

knowlegde
Open
Knowledge transfer to operations and support staff:
Knowledge and skills are transferred to enable operations and
technical support staff to effectively and efficiently deliver, support
and maintain the system and associated infrastructure.

9.2

AI4.4

BAI08.01 Nurture and facilitate a 8.2.2

knowledge-sharing culture.
10.1.1
10.3.2
BAI08.02 Identify and classify
10.7.4
sources of information
13.2.2

BAI08.03 Organise and

contextualise information into
knowlegde

9.2

BAI08.04 Use and share

knowlegde

Open

272398322.xlsx

People

Assessment
status

Operational
maturity level

Not applicable

5 - Optimised

4 - Managed and
measurable

0 - Non-existent

CobiT
4.1

3 - Defined

Back to Assessment Overview

Ensure that all employees, contractors and third party users are
aware of information security threats and concerns, their
responsibilities and liabilities, and are equipped to support
organizational security policy in the course of their normal work, and
to reduce the risk of human error.

No

PE

2 - Repeatable but
intuitive

PE

1 - Initial/ad hoc

Domain

Final

Processes

10

Standard / Control measure

PR

Cobit 5.0

ISO
27002

Change Management: Ensure that all changes, including patches, support enterprise objectives and are carried out in a
secure manner. Ensure that day-to-day business processes are not impacted.
Change standards and procedures: Formal change management AI6.1
procedures has been set up to handle in a standardised manner all
requests (including maintenance and patches) for changes to
applications, procedures, processes, system and service parameters,
and the underlying platforms.

BAI06.01 Evaluate, prioritise and 10.1.2

authorise change requests.
12.5.3

No.

Instructions: An 'x' is used to indicate which level is applicable. Please,

avoid two x in one row.

Comments

10

BAI06.02 Manage emergency

changes.
5

10.1

BAI06.04 Close and document

the changes.
Open
AI6.2

10.2

Impact assessment, prioritisation and authorisation: All

requests for change in a structured way are assessed to determine
the impact on the operational system and its functionality. All
changes are categorised, prioritised and authorised.

AI7.4

10.3

Test environment: A secure test environment is defined and

established representative of the planned operations environment
relative to security, internal controls, operational practices, data
quality and privacy requirements, and workloads.

Testing of changes: Changes are tested independently in

accordance with the defined test plan prior to migration to the
operational environment. It is ensured that the plan considers
security and performance.

AI7.6

BAI06.01 Evaluate, prioritise and 10.1.2

authorise
12.5.3
change requests.
12.6.1

10.2

Open
BAI07.04 Establish a test
environment.

10.1.4
12.4.3
12.5.2

10.3

Open
BAI07.05 Perform acceptance
tests.

6.1.4
12.4.3
12.5.2

10.4

10.4

Open

10.5

Promotion to production: The following procedure is being

AI7.8
following: Following testing, the handover of the changed system to
operations is controlled, keeping it in line with the implementation
plan. Approval is obtained of the key stakeholders, such as users,
system owner and operational management. Where appropriate, the
system is run in parallel with the old system for a while, and the
behaviour and results are compared.

BAI07.06 Promote to production None

and
manage releases.

10.5

Open
11

11.1

Continuity Management: Counteract interruptions to business activities and to protect critical business processes from the
effects of major failures of information systems or disasters and to ensure their timely resumption.
IT Continuity plans: IT continuity plans are developed based on
the framework and designed to reduce the impact of a major
disruption on key business functions and processes. The plans are
based on risk understanding of potential business impacts and
address requirements for resilience, alternative processing and
recovery capability of all critical IT services. The plans also cover
usage guidelines, roles and responsibilities, procedures,
communication processes, and the testing approach.

DS4.2

DSS04.03 Develop and

implement a
business continuity response.

6.1.6
6.1.7
14.1.1
14.1.2
14.1.3

11
x

11.1

Open

11.2

Testing of the IT Continuity plan: The IT continuity plan is tested DS4.5

on a regular basis to ensure that IT systems can be effectively
recovered, shortcomings are addressed and the plan remains
relevant. This requires careful preparation, documentation, reporting
of test results and, according to the results, implementation of an
action plan. The extent of testing recovery of single applications to
integrated testing scenarios to end-to-end testing and integrated
vendor testing is considered.

DSS04.04 Exercise, test and

review the BCP.

14.1.5

11.2

Open

272398322.xlsx

Used sources

Assessment
status

Operational maturity level is .

BAI06.03 Track and report

change status.

10.1

Processes

Ref.

Operational
maturity level

Not applicable

5 - Optimised

4 - Managed and
measurable

0 - Non-existent

CobiT
4.1

3 - Defined

Back to Assessment Overview

Ensure that system and infrastructure development, maintenance

and access is performed in a secured way and comply to the
information policies, standards and procedures, and laws and
regulations. Information security weaknesses and business
interruptions should be counteract adequately avoiding unintended
negative business exposure.

No

Final

Open

Processes

2 - Repeatable but
intuitive

PR

1 - Ad hoc, initial

Domain

Confidential

Processes

11.3

11.4

Confidential

Offsite backup storage: All critical backup media, documentation DS4.9

and other IT resources necessary for IT recovery and business
continuity plans are stored offsite. The content of backup storage in
collaboration between business process owners and IT personnel is
determined. Management of the offsite storage facility respond to
the data classification policy and the enterprises media storage
practices. IT management ensures that offsite arrangements are
periodically assessed, at least annually, for content, environmental
protection and security. Compatibility of hardware and software to
restore archived data, and periodically test and refresh archived data
is ensured.

DSS04.07 Manage backup

arrangements

Backup and restoration: Procedures are defined and implemented DS11.5

for backup and restoration of systems, applications, data and
documentation in line with business requirements and the continuity
plan.

DSS04.08 Conduct postresumption

review.

Final

None
10.5.1

11.3

Open
x

11.4

Open

272398322.xlsx

Processes

12

12.1

Confidential

Final

Manage data: Maintain the completeness, accuracy, availability and protection of data
Storage and retention arrangements: Procedures are defined
and implemented for effective and efficient data storage, retention
and archiving to meet business objectives, the organisations
security policy and regulatory requirements.

DS11.2

Disposal: Procedures are defined and implemented to ensure that

business requirements for protection of sensitive data and software
are met when data and hardware are disposed or transferred.

DS11.4

DSS04.08 Conduct postresumption review.

12
10.5.1
10.7.1
15.1.3

DSS06.04 Manage errors and

exceptions

12.1

Open
DSS05.06 Manage sensitive
documents and output devices.

9.2.6
10.7.1
10.7.2

DSS06.05 Ensure traceability of

information events and
accountabilities.
12.2

DSS06.06 Secure information

assets.

12.2

Open

12.3

13

Security requirements for data management: Policies and

procedures are defined and implemented to identify and apply
security requirements applicable to the receipt, processing, storage
and output of data to meet business objectives, the organisations
security policy and regulatory requirements.

DS11.6

DSS01.01 Perform operational

procedures

10.8.3
10.5.1
10.7.3
10.8.4
10.8.5
12.2.1
12.2.2
12.4.2
12.4.3

DSS05.02 Manage network and

connectivity security
DSS05.03 Manage endpoint
security
DSS05.04 Manage user identity
and logical access
DSS05.05 Manage physical
access to IT assets
DSS06.03
Manage
roles, risks minimised by
Configuration Management: Ensure that all configuration items are appropriately
secured
and security
responsibilities, access privileges
ensuring the enterprise's awareness of its IT-related assets and licenses.
and levels of authority
Configuration repository and baseline: A supporting tool and a DS9.1
central repository are established to contain all relevant information
on configuration items. All assets and changes to assets are
monitored and recorded. A baseline of configuration items for every
system and service as a checkpoint to which to return after changes
is maintained.

BAI10.01-02
Establish
and
DSS06.06 Secure
information
maintain a configuration model
assets
Establish and maintain a
configuration repository and
baseline

7.2.2
12.4.1
12.4.2

Open
13
x

BAI10.04 Produce status and

configuration reports

13.1

12.3

13.1

DSS02.01 Define incident and

service request classification
schems

Open

13.2

Identification and Maintenance of Configuration Items:

DS9.2
Configuration procedures to support management and logging of all
changes to the configuration repository are established. These
procedures are integrated with change management, incident
management and problem management procedures.

BAI10.03 Maintain and control

configuration items

7.1.1
7.1.2
10.7.4
11.4.3
12.4.2
12.5.3
12.6.1
15.1.5

13.2

Open
14

14.1

Manage third party and supplier services: Ensure that third party (suppliers, vendors and partners) services meet
business requirements and that related business and IT risks associated with continuity and security are minimized.
Monitoring and reporting of Service Level Achievements:
DS1.5
Specified service level performance criteria are continuously
monitored. Reports on achievement of service levels are provided in
a format that is meaningful to the stakeholders. The monitoring
statistics are analysed and acted upon to identify negative and
positive trends for individual services as well as for services overall.

APO09.04 Monitor and report

service levels

Supplier risk management: Risks are identified and mitigated

DS2.3
relating to suppliers ability to continue effective service delivery in a
secure and efficient manner on a continual basis. Contracts conform
to universal business standards in accordance with legal and
regulatory requirements. Risk management considers non-disclosure
agreements (NDAs), escrow contracts, continued supplier viability,
conformance with security requirements, alternative suppliers,
penalties and rewards, etc.

APO10.04 Manage supplier risk

14

6.2.3
10.2.1
10.2.2
10.2.3
10.4.2
12.5.5

6.2.1
6.2.3
8.1.2
8.1.3
10.2.3
10.8.2

14.1

Open

14.2

14.2

Open
15

15.1

Incident Management: Ensure information security events and weaknesses associated with information systems are
communicated in a manner allowing timely corrective action to be taken.
Security Incident Definition: The characteristics of potential
security incidents are defined and communicated so they are
properly classified and treated by the incident and problem
management process.

DS5.6

DSS02.01 Define incident and

service request classification
schemes

8.2.3
13.1.1
13.1.2
13.2.1
13.2.3

15
x

15.1

Open

272398322.xlsx

Processes

15.2

Incident escalation: Service desk procedures are established, so

incidents that cannot be resolved immediately are appropriately
escalated according to limits defined in the SLA and, if appropriate,
workarounds are provided. Incident ownership and life cycle
monitoring remain with the service desk for user-based incidents,
regardless which IT group is working on resolution activities.

Confidential

DS8.3

DSS02.04 Investigate, diagnose 13.1.2

and allocate incidents
13.2.3
14.1.1
14.1.4

Final

15.2

Open

272398322.xlsx

Processes

16

16.1

Confidential

Final

Monitoring: Avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
Ensure compliancy of systems with and people's adherence to organizational information security related policies, standards
and procedures.
Security testing, surveillance and monitoring: The IT security
implementation is tested and monitored in a proactive way. IT
security should be reaccredited in a timely manner to ensure that
the approved enterprises information security baseline is
maintained. A logging and monitoring function will enable the early
prevention and/or detection and subsequent timely reporting of
unusual and/or abnormal activities that may need to be addressed.

DS5.5

Monitoring of internal control framework: The IT control

environment and control framework are continuously monitored,
benchmarked and improved to meet organisational objectives and
adherence to information security policies, standards and
procedures.

ME2.1

Internal control at third parties: The status of external service

providers internal controls are assessed. Procedures are in place to
ensure that external service providers comply with legal and
regulatory requirements and contractual obligations.

ME2.6

16

DSS05.07 Monitor the

6.1.8
infrastructure for security-related 10.10.2
events
10.10.3
10.10.4
12.6.1
13.1.2
15.2.2
15.3.1

MEA02.01 Monitor internal

controls

16.1

Open

16.2

MEA02.02 Review business

process control effectiveness

5.1.1
5.1.2
15.2.1

16.2

Open
MEA02.01 Monitor internal
controls

6.2.3
10.2.2
15.2.1

16.3

16.3

Open
16.4

Evaluation of compliance with external requirements: IT

ME3.3
policies, standards, procedures and methodologies comply with legal
and regulatory requirements.

MEA03.03 Confirm external

compliance

6.1.6
15.1.2
15.1.4

x
5

16.4
Open

Independent assurance: Independent assurance (internal or

ME4.7
external) is obtained about the conformance of IT with relevant laws
and regulations; the organisations policies, standards and
procedures; generally accepted practices; and the effective and
efficient performance of IT.
16.5

MEA02.05 Ensure that assurance 5.1.2

providers are independent and
6.1.8
qualified
10.10.2

MEA02.06 Plan assurance

initiatives

16.5

MEA02.07 Scope assurance

initiatives
MEA02.08 Execute assurance
initiatives

17

17.1

Open

User Account Management: Ensure that all users (internal, external and temporary) only have authorised access to data
and functionalities, and their activities within the IT environment are uniquely identifiable.
Identity management: All users (internal, external and
DS5.3
temporary) and their activity on IT systems (business application, IT
environment, system operations, development and maintenance) are
uniquely identifiable. User identities are enabled via authentication
mechanisms. User access rights to systems and data are in line with
defined and documented business needs and that job requirements
are attached to user identities. User access rights are requested by
user management, approved by system owners and implemented by
the security-responsible person. User identities and access rights are
maintained in a central repository. Deploy cost-effective technical
and procedural measures are deployed, and kept current to establish
user identification, implement authentication and enforce access
rights.

DSS05.04 Manage user identity

and logical access

User account management: Requesting, establishing, issuing,

DS5.4
suspending, modifying and closing user accounts and related user
privileges are addressed with a set of user account management
procedures. An approval procedure outlining the data or system
owner granting the access privileges is included. These procedures
should apply for all users, including administrators (privileged users)
and internal and external users, for normal and emergency cases.
Rights and obligations relative to access to enterprise systems and
information are contractually arranged for all types of users. Regular
management review of all accounts and related privileges are
performed.

DSS05.04 Manage user identity

and logical access

17

5.1.1
5.1.2
6.1.2
6.1.5
8.2.2
11.1.1
11.2.3
11.5.2
11.7.1
11.7.2

6.1.5
6.2.1
6.2.2
8.1.1
8.3.1
8.3.3
10.1.3
11.1.1
11.2.1
11.2.2
11.2.4
11.3.1
11.5.1
11.5.3
11.6.1

17.1

Open

17.2

17.2

Open

272398322.xlsx

Technology

18.1

CobiT
4.1

Cobit 5.0

ISO
27002

Secure Infrastructure: Security techniques and related management procedures (e.g., firewalls, security appliances,
network segmentation, intrusion detection, trusted path or medium, encryption) are used to secure data storage and
transport within the enterprise's technical infrastructure, flows from and to the network and mobile devices (e.g. smart
phones, usb sticks). Applied techniques are in accordance with the related data classification.
Infrastructure resource protection and availability: Internal
control, security and auditability measures are implemented during
configuration, integration and maintenance of hardware and
infrastructural software to protect resources and ensure availability
and integrity. Responsibilities for using sensitive infrastructure
components are clearly defined and understood by those who
develop and integrate infrastructure components. Their use is
monitored and evaluated.

AI3.2

Infrastructure maintenance: A strategy and plan for

infrastructure maintenance is developed, and ensure that changes
are controlled in line with the organisations change management
procedure. Include periodic reviews against business needs, patch
management, upgrade strategies, risks, vulnerabilities assessment
and security requirements.

AI3.3

Cryptographic key management: Policies and procedures are in

place to organise the generation, change, revocation, destruction,
distribution, certification, storage, entry, use and archiving of
cryptographic keys is in place to ensure the protection of keys
against modification and unauthorised disclosure.

DS5.8

BAI03.03 Develop solution

components

12.1.1

Operational maturity level is .

Ref.

Used sources

No.

Comments

Instructions: An 'x' is used to indicate which level is applicable. Please,

avoid two x in one row.
18

DSS02.03 Verify, approve and

fulfil service requests

18.1

Open

18.2

BAI02.02 Perform a feasibility

study and formulate alternative
solutions

9.1.5 9.2.4
12.4.2
12.5.2
12.6.1

10.8.4,
12.2.3,
12.3.1,
12.3.2,
15.1.6

11.6.2

18.2

Open

18.3

DSS05.03 Manage endpoint

security

18.3

Open

18.4

Network security: Security techniques and related management

DS5.10
procedures (e.g., firewalls, security appliances, network
segmentation, intrusion detection) are used to authorise access and
control information flows from and to networks. Available best
practices in this area (i.e. GovCert, ISO/IEC, ITSec) are considered.

DSS05.02 Manage network and

connectivity security

Exchange of sensitive data: Sensitive transaction data is only

exchanged over a trusted path or medium with controls to provide
authenticity of content, proof of submission, proof of receipt and
non-repudiation of origin.

DSS05.02 Manage network and

connectivity security

18.4

Open
DS5.11

18.5

6.2.1
10.6.1
10.6.2
10.8.1
10.9.1
11.4.1
11.4.2
11.4.3
11.4.4
11.4.5
11.4.6
11.4.7
11.6.2

18.5

Open
19

Manage malware attacks: Preventive, detective and corrective measures are in place (especially up-to-date security
patches and virus control) across the organisation to protect information systems and technology from malware (e.g.,
viruses, worms, spyware, spam).
Malicious software prevention, detection and correction:
DS5.9
Preventive, detective and corrective measures are in place
(especially up-to-date security patches and virus control) across the
organisation to protect information systems and technology from
malware (e.g., viruses, worms, spyware, spam).

19.1

DSS05.01 Protect against

malware

6.2.1
10.4.1
10.4.2
10.6.1
10.6.2
11.4.1
11.4.2
11.4.3
11.4.4
11.4.5
11.4.6
11.4.7

19
x

19.1

Open
20

Protect infrastructure components: Technology is hardened, security-related technology is made resistant to tampering,
and security documentation is not disclosed unnecessarily.

20

272398322.xlsx

Technology

Assessment
status

Operational
maturity level

Not applicable

5 - Optimised

1 - Initial/ad hoc

0 - Non-existent

18

Standard / Control measure

4 - Managed and
measurable

Back to Assessment Overview

Ensure the protection of information in networks, the protection of

the supporting infrastructure and the secure exchange of information
within the organization and with any external entity.

No

Final

Open

Technology

3 - Defined

2 - Repeatable but
intuitive

Domain

Confidential

Technology

Protection of security technology: Security-related technology is DS5.7

made resistant to tampering, and security documentation is not
disclosed unnecessarily.

20.1

Confidential

DSS05.05 Manage physical

access to IT assets

6.1.4 9.1.6
9.2.1 9.2.3
10.7.4
10.6.2
10.10.1
10.10.3
10.10.4
10.10.5
10.10.6
11.3.2
11.3.3
11.4.3
11.4.4
11.5.1
11.5.4
11.5.5
11.5.6
10.6.2
11.7.1
11.7.2
12.4.1
12.6.1
13.1.2
13.2.3
15.2.2
15.3.2

Final

20.1

Open

272398322.xlsx

Facilities

Confidential

Open

Facilities

21

21.1

CobiT
ISO
Cobit 5.0
4.1
27002
Physical security: Physical security measures are defined and implemented in line with business and data classification
requirements to secure facilities (e.g. buildings, power supply) and the physical and information assets. Physical security
must be capable of effectively preventing, detecting and mitigating risks relating to disasters and accidents (e.g. nature,
human, vandalism, terror).
Standard / Control measure

Physical security measures: Physical security measures are

DS12.2
defined and implemented in line with business requirements to
secure the location and the physical assets. Physical security
measures must be capable of effectively preventing, detecting and
mitigating risks relating to theft, temperature, fire, smoke, water,
vibration, terror, vandalism, power outages, chemicals or explosives.

DSS05.05 Manage physical

access to IT assets

Physical access: Procedures are defined and implemented to grant, DS12.3

limit and revoke access to premises, buildings and areas according
to business needs, including emergencies. Access to premises,
buildings and areas can be justified, authorised, logged and
monitored. This applies to all persons entering the premises,
including staff, temporary staff, clients, vendors, visitors or any other
third party.

DSS05.05 Manage physical

access to IT assets

Operational maturity level is .

Instructions: An 'x' is used to indicate which level is applicable. Please,
avoid two x in one row.

9.1.1 9.1.2
9.1.3 9.1.4
9.2.1 9.2.2
9.2.3 9.2.5
9.2.7

6.2.1 9.1.2
9.1.5 9.1.6
9.2.5

Ref.

Used sources

No.

Comments

21

21.1

Open

21.2

21.2

Open

272398322.xlsx

Facilities

Assessment
status

Operational
maturity level

Not applicable

5 - Optimised

1 - Initial/ad hoc

0 - Non-existent

No

4 - Managed and
measurable

Back to Assessment Overview

Prevent loss, damage, theft or compromise of organizations

premises and information and interruption to the organizations
activities.

3 - Defined

2 - Repeatable but
intuitive

Domain

Final

Branche Name
<Bank, Ver<name>

Date
Year
Approved Filled
dd-mm-yyy
#VALUE! <name> <name>

Function BudgetISDPctITAudit
<function>
0
0

DO NOT DELETE THIS SHE

PerOutPosFTEsISD VacISD
Patched2 Patched5 Patched30Patched60
0
0
0
0
0
0
0

11
5

12
5

21
5

DELETE THIS SHEET!!!------------------------------DO NOT DELETE THIS SHE

22
5

31
5

LETE THIS SHEET!!!

32
5

41
5

42
5

43
5

51
5

52
5

61
5

71
5

81
5

82
5

83
5

84
5

85
5

91
5

92
5

101
5

102
5

103
5

104
5

105
5

111
5

112
5

113
5

114
5

121
5

122
5

123
5

131
5

132
5

141
5

142
5

151
5

152
5

161
5

162
5

163
5

164
5

165
5

171
5

172
5

181
5

182
5

183
5

184
5

185
5

191
5

201
5

211
5

212
5