To receive the full score for a question, the below criteria should be met:
Select ALL options/checkboxes available for the Questions (except the first one, which is “do not know” or “do not have”). Even if you think that an option should not be applicable to your company, please still select the option and upload some explanations on why you think this option should not be applicable.
Not selecting an option for us is automatically allocated zero marks.
Link/upload fully formalized process/policies. You can provide parts or redacted versions of the full policies instead of the full versions. However, note that only Table of Contents is not sufficient as such templates can be downloaded easily from the web. The same applies only to statements or explanations in wordings, which, if relevant, are only allocated partial marks.
Most options require proof of commitment (such as a policy) and proof of implementation (such as an audit report, antivirus agent screenshot, log extraction, etc.) to credit your answer.
In other words, the evidence should serve as proof that a security measure is not only implemented (formalized policy) but also, equally important, is the fact that it is being monitored and controlled.
For example, for a firm password policy, it is not only essential to have a formalized policy that all employees have access to, but also the proper control should be in place. For instance, having a screenshot of an error message popping up when a user inserts a weak password shows that there is a control to make sure that this measure is followed. Of course, usernames or any sensitive data can and should be masked.
Please find below to see how the scoring works: