EN
English Українська
Interactive Assessment

Cyber Security
Toolkit

Evaluate your organization against the key security controls of the ISO 27001 standard. Complete the assessment steps to identify risks and determine maturity.

1
2
3
4
5
6
7
8

How are information security policies and organizational roles defined?

1. Security Policies & Org (ISO 27001 A.5)

No Policies No formal security policies exist. Responsibilities are undefined.
Informal Guidelines Basic undocumented security practices exist but roles are unassigned.
Documented Policies Documented security policies exist, though reviews are irregular.
Formal ISMS Framework Comprehensive policy framework under an ISMS, regularly reviewed, with clearly assigned roles.

How does your organization manage assets and access permissions?

2. Access Control & Assets (ISO 27001 A.5 / A.8)

No Access Controls Employees access all systems. Assets are not inventoried.
Basic Shared Access Basic list of assets exists. Access is granted informally without strict RBAC.
Role-Based Access & MFA Defined asset inventory. Access governed by RBAC; MFA enforced on external portals.
Strict Zero Trust / Asset Lifecycle Automated asset tracking, strict least-privilege RBAC, mandatory MFA everywhere, and periodic audits.

What measures protect your operational infrastructure and communications network?

3. Operations & Communications (ISO 27001 A.8)

Unprotected Operations No network firewalls, anti-malware, or server backups are maintained.
Basic Safeguards Standard antivirus and basic firewall configured. Backups are run manually.
Managed EDR & Automated Backups EDR deployed, automated backups saved to cloud/local targets, network firewalls active.
EDR/SIEM + Offline Backups & Segments Managed EDR/XDR, centralized log monitoring, network segmentation, and tested offline backups.

How is physical access to company facilities and hardware controlled?

4. Physical & Environmental Security (ISO 27001 A.7)

Unrestricted Access Offices and hardware zones are open to visitors without logs or locks.
Basic Barriers Offices are locked after-hours, but visitor access during the day is unmonitored.
Monitored Facilities & Clean Desk Visitor logs, badge entry, secure network cabinets, clean desk rules active.
Multi-layered Controls & CCTV Biometric/keycard logs, CCTV, dedicated server room protection, and secure hardware disposal policies.

How does your organization handle security incidents and ensure business continuity?

5. Incident Response & Continuity (ISO 27001 A.5.24 – A.5.30)

No Incident Planning No incident plans or business continuity playbooks exist. Reactive response only.
Informal Emergency Contacts Basic IT emergency contacts exist, but no structured incident logging or playbooks.
Documented Incident Response Plan Formal Incident Response Plan (IRP) documented. Disaster recovery backups exist.
Full IR Team & Continuity Testing Assigned IR team, regular incident tabletop testing, and active Business Continuity Plan (BCP) reviews.

How does your organization handle security requirements throughout employment?

6. Human Resources Security (ISO 27001 A.6)

No Screening No screening is done during onboarding; no security training is provided.
Onboarding Policy Basic screening is performed, but security awareness training is ad-hoc.
Regular Screening & Training All employees undergo screening; regular security training is conducted.
Strict Offboarding & NDA Lifecycle Strict background checks, mandatory security training, and formalized NDA/asset return procedures.

How is data encryption and cryptographic keys managed in your organization?

7. Cryptography & Key Management (ISO 27001 A.8.24)

Unencrypted Data Data is stored and transmitted in plaintext without cryptographic controls.
Basic Encryption HTTPS is used, but stored files, database tables, and emails are unencrypted.
Full Disk & At-Rest Encryption Full disk encryption on endpoints; databases and storage encrypted at rest.
Managed Cryptographic Lifecycle Formal key management policy, hardware tokens, rotation of credentials, and end-to-end encryption.

How are security risks managed when sharing information with external suppliers and SaaS vendors?

8. Supplier & Vendor Relationships (ISO 27001 A.5.19 - A.5.23)

No Vendor Reviews External tools, freelancers, and suppliers are onboarded without security reviews.
Informal Vendor Checking Basic check on supplier reputations, but no formalized security agreements.
NDA & Contract Clauses Contracts include standard security clauses and NDAs, but audits are not performed.
Continuous Vendor Risk Management Regular supplier audits, formal risk reviews, and strict SLAs for security incidents.
0% score
Calculating

Assessment Complete

Review your security status and details below.

Maturity Breakdown

1. Security Policies & Org Policies
Pending
2. Access Control & Assets Access Control
Pending
3. Operations & Comm Security Operations
Pending
4. Physical & Environmental Security Physical Security
Pending
5. Incident Response & Continuity Incident Response
Pending
6. Human Resources Security HR Security
Pending
7. Cryptography & Key Management Cryptography
Pending
8. Supplier & Vendor Relationships Suppliers
Pending

Book a Free Security Consultation

Schedule a free 15-30 minute security alignment call with an AXON Security expert to discuss your results and build a customized action plan.