Before any organization embarks on a CyberSecurity project, it is useful to ask what value the project should deliver. After all, why do it if it isn’t valuable to the organization?
This self-assessment is a little different than the usual exercise and is something that we like to do with our clients before they engage with our Virtual CISO services.
The question is not do you need an Information Security Plan, but rather do you understand the questions you and your team should be asking as to if you need one.

Every client has unique risks and therefore requirements when mitigating against losses. This assessment can be used at the beginning of your journey or well after you have started in order to review your progress. The goal is to provide you and your team with a set of questions that you might ask. If the question is relevant, then you’ll score it against how well you understand the answer, not what the answer is. In this way, we are not suggesting that there is one correct answer, but rather asking if you’re considering the right questions, and only then can you focus on the answers you need to seek.

What we normally suggest is that you give it to leadership within your organization and see how well-defined your team’s views are of Cybersecurity and how it relates to your company’s goals. If you want to explore the answers more deeply, then let’s chat.

Here is the assessment. Give it to your leadership team and have someone consolidate the answers to get your overall Cybersecurity footprint.
If you’re just starting out, then you should only do the first criteria. Once you have an active CyberSecurity the later criteria will help you assess the performance of your CyberSecurity program.