Information Security Program Assessment Tool


This self-assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002:2013 "Information Technology Security Techniques. Code of Practice for Information Security Management." This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by chief information officer, chief information security officer or equivalent, or a designee. There are a total of 101 questions and on average it takes about 2 hours for an information security officer or equivalent, familiar with their environment, to complete this tool.

The assessment tool includes mapping to common standards and frameworks: ISO 27002:2013, NIST 800-53 r4 Controls, NIST 800-171 r1 Controls, the NIST Cybersecurity Framework, and the CIS 20 Critical Security Controls (select the Tool Mapped to Standards tab).

Need help with the tool? Contact [email protected]

* Please Note: Macros may not work on all Macs.

Download Resources