Cyber Security Maturity Assessment

Welcome to the 369 Consult GmbH Cybersecurity Maturity Quick Assessment. In just a few minutes, you can gain valuable insights into the strengths and opportunities within your cybersecurity program. This assessment, designed by industry experts, is grounded in the globally recognized NIST framework and tailored to reflect the critical cybersecurity aspects most relevant to small and medium-sized enterprises.

Whether you're preparing for compliance, bolstering your defenses post-incident, or just checking the pulse of your cybersecurity posture, our intuitive questionnaire will guide you through a series of targeted queries that shine a light on your organization's cybersecurity readiness.

Embrace the journey to cybersecurity excellence. Begin your assessment now and unlock actionable insights that can transform your cybersecurity strategy.

Name

Email

Phone number

Company

What is the size of your company?

What industry does your company belong to?

What is the primary reason for performing this cybersecurity assessment?

Who is performing the assessment?

How many IT employees are in the IT department?

How many security specialists are in the company?

1 out of 7

How well does your organization define the scope of its cybersecurity program?

A: No defined scope or understanding of cybersecurity within the organization.

B: Cybersecurity scope is informally understood by some staff, without formal documentation.

C: Cybersecurity scope is documented but not fully communicated or understood across the organization.

D: Cybersecurity scope is clearly documented, communicated, and understood across the organization.

E: Cybersecurity scope is regularly reviewed and updated based on organizational changes.

F: Cybersecurity scope dynamically evolves and is integrated with business strategy and risk management processes.

How is information security integrated into organizational risk management?

A: Information security is not considered part of organizational risk management.

B: Information security risks are acknowledged but not systematically managed.

C: A basic process exists for integrating information security risks into risk management.

D: Information security risks are systematically integrated into organizational risk management.

E: Information security risk management is aligned with organizational risk management, with regular reviews.

F: Continuous improvement and feedback loops are established for integrating information security into risk management.

Does your organization have a comprehensive asset management process?

A: No asset management process exists.

B: Assets are sporadically inventoried without formal processes.

C: Formal asset management processes exist but are not consistently applied.

D: A comprehensive asset management process is in place and followed.

E: Asset management is integrated with cybersecurity practices.

F: Asset management and cybersecurity practices are continuously improved.

2 out of 7

How does your organization identify and prioritize cybersecurity threats?

A: Cybersecurity threats are not identified or prioritized.

B: Ad hoc identification of threats, with no prioritization.

C: Basic threat identification processes exist, with minimal prioritization.

D: Systematic threat identification and prioritization processes are in place.

E: Threat identification and prioritization are integrated into overall risk management.

F: Continuous improvement processes are in place for threat identification and prioritization.

To what extent are cybersecurity policies and procedures documented and communicated?

A: No cybersecurity policies or procedures are documented or communicated.

B: Some cybersecurity policies exist but are not formally communicated.

C: Cybersecurity policies and procedures are documented but inconsistently communicated.

D: Cybersecurity policies and procedures are well-documented and communicated across the organization.

E: Policies and procedures are regularly reviewed and updated.

F: Continuous feedback and improvement mechanisms are in place for policies and procedures.

What is the level of cybersecurity awareness among the workforce?

A: No cybersecurity awareness efforts.

B: Minimal, ad hoc cybersecurity awareness activities.

C: Formal cybersecurity awareness program exists but with limited reach.

D: Comprehensive cybersecurity awareness program covering all employees.

E: Regular updates and assessments of the cybersecurity awareness program.

F: Cybersecurity awareness is fully integrated into the organizational culture with continuous improvement.

3 out of 7

How does your organization ensure the resilience of its critical services?

A: No efforts to ensure the resilience of critical services.

B: Minimal, ad hoc measures to enhance resilience.

C: Basic resilience planning for critical services.

D: Comprehensive and tested resilience plans for all critical services.

E: Regular reviews and updates to resilience plans.

F: Continuous improvement and adaptation of resilience strategies based on emerging threats and business needs.

How does your organization manage identities and access?

A: No identity or access management controls are in place.

B: Manual, ad-hoc management of identities and access with significant gaps.

C: Basic identity and access management controls are documented but not fully enforced.

D: Comprehensive identity and access management policies are enforced with regular reviews.

E: Automated identity and access management solutions are implemented, with ongoing monitoring.

F: Continuous improvement of identity and access management practices, leveraging advanced technologies.

How are data security measures implemented within your organization?

A: No formal data security measures are in place.

B: Some data security measures exist but are inconsistently applied.

C: Formal data security policies are established but not fully comprehensive.

D: Data security measures are fully implemented, covering data at rest and in transit.

E: Regular reviews and updates to data security measures based on current threats.

F: Proactive and dynamic adaptation of data security measures to emerging threats and technologies.

4 out of 7

How does your organization manage remote access to its network?

A: No controls or policies for remote access.

B: Basic remote access controls without comprehensive security measures.

C: Documented remote access policies with basic security controls.

D: Secure remote access solutions with multi-factor authentication and encryption.

E: Regular review and enhancement of remote access policies and controls.

F: Adaptive remote access security measures with continuous monitoring and improvement.

How are anomalies and events detected in your network?

A: No capabilities in place to detect anomalies and events.

B: Occasional, manual detection of anomalies with no formal process.

C: Basic automated detection tools in place, but with limited coverage.

D: Comprehensive detection systems covering most critical assets, with regular reviews.

E: Advanced detection and analytics across all systems, with automated alerts.

F: Continuous improvement of detection capabilities, leveraging machine learning and AI for predictive analytics.

How does your organization manage the detection of unauthorized mobile devices?

A: No detection of unauthorized mobile devices.

B: Manual checks for unauthorized devices with no formal process.

C: Basic automated tools for detecting unauthorized devices, but limited in scope.

D: Comprehensive monitoring and detection of unauthorized devices across the network.

E: Regular audits and updates to the detection process for unauthorized devices.

F: Dynamic and adaptive processes for detecting unauthorized devices, with real-time response capabilities.

5 out of 7

How are network traffic anomalies detected and analyzed?

A: No detection or analysis of network traffic anomalies.

B: Manual monitoring of network traffic with occasional anomaly detection.

C: Basic automated detection of network anomalies, with manual analysis.

D: Advanced tools for automated detection and analysis of network anomalies.

E: Comprehensive network anomaly detection and analysis integrated with incident response.

F: Continuous enhancement of network traffic analysis capabilities, using AI and machine learning.

How does your organization ensure timely detection and response to incidents?

A: No formal incident response plan.

B: Incident response plan exists but is rarely followed or updated.

C: Documented incident response plan with basic roles and procedures.

D: Comprehensive incident response plan, regularly reviewed and practiced.

E: Incident response plan integrated with continuous monitoring and threat intelligence.

F: Adaptive incident response strategies, with ongoing improvements based on lessons learned and predictive analytics.

How are incident response roles and responsibilities defined and communicated?

A: No defined roles or responsibilities for incident response.

B: Informal assignment of incident response roles, leading to confusion.

C: Basic documentation of incident response roles and responsibilities.

D: Clear definition and communication of roles and responsibilities across the organization.

E: Regular training and drills to reinforce incident response roles and responsibilities.

F: Continuous evaluation and optimization of roles and responsibilities, ensuring alignment with best practices and organizational needs.

6 out of 7

How does your organization develop and implement recovery planning processes?

A: No recovery planning processes in place.

B: Informal, ad-hoc recovery efforts after an incident.

C: Basic recovery plans exist but are not comprehensive or regularly tested.

D: Comprehensive recovery plans developed, documented, and integrated with business continuity plans.

E: Recovery plans are regularly tested and updated based on testing outcomes and after actual incidents.

F: Continuous improvement of recovery plans, leveraging lessons learned and predictive analytics for resilience.

How does your organization restore capabilities that were impaired due to a cybersecurity incident?

A: No formal process for restoring capabilities post-incident.

B: Ad-hoc restoration of capabilities, often leading to prolonged service disruption.

C: Basic restoration processes in place, but not always effective or timely.

D: Structured and effective restoration processes, minimizing downtime and impact.

E: Restoration processes are regularly tested and refined for efficiency.

F: Proactive and automated restoration processes, ensuring minimal operational impact and quick return to normalcy.

7 out of 7

Cyber Security Maturity Assessment

See our cyber security maturity scale

0 – 9 (Inexistent): Cybersecurity is an uncharted territory in your organization. Immediate action is necessary to establish fundamental security measures.

10 – 27 (Initial): You’ve taken the first steps in cybersecurity, but your measures are sporadic and informal. Building a structured approach should be your next move.

28 – 44 (Repeatable): Your cybersecurity practices are taking shape, with repeatable processes in place. Consistency and documentation can further strengthen your stance.

45 – 64 (Defined): Your cybersecurity processes are documented and reviewed. It’s time to transition from proactive strategies to a more defined and systematic approach.

65 – 79 (Managed): With managed and refined cybersecurity processes, you are well on your way to excellence. The focus now shifts to continuous improvement and optimization.

80 – 85 (Optimized): Congratulations! Your cybersecurity practices are optimized and lead the industry. Maintaining this level requires ongoing dedication to innovation and adaptation.

Quick Links

Contact Us

369 consult GmbH © 2025

Contact us

Let’s work together