ISO/IEC 27001:2013 Revision - Due Diligence Questionnaire (DDQ)

Please answer the below questions to the best of your ability:

Your organization has existing/documented IT security policies for the company overall in place that can be produced at a moment’s notice:*

	1	2	3	4	5	6	7	8	9	10

1 is Minimal Confidence, 10 is Highly Confident

Your company has conducted an overall information system(s) risk assessment within the last 12 months and is able to be produced the documented results at a moment’s notice: *

	1	2	3	4	5	6	7	8	9	10

1 is Minimal Confidence, 10 is Highly Confident

If an information system risk assessment has been conducted as defined above, has your organization produced a documented action/corrective plan based on the findings? *

Within your company, there are properly defined information systems security roles with individuals assigned, and are able to produce this documentation at a moment’s notice?*

Your organization maintains a “living document” of IT assets and personnel assigned toward the usage and management of these IT assets? *

Your organization has provided to all employees and contractors an IT Acceptable Use policy and is able to produce this document at a moment’s notice?*

Your organization has access controls in place for all employee roles and is able to produce this report at a moment’s notice?*

	1	2	3	4	5	6	7	8	9	10

1 is Minimal Confidence, 10 is Highly Confident

Your organization has cybersecurity protection policies in place for business processes, data protections, applications, and technology and are able to produce this report at a moment’s notice?*

	1	2	3	4	5	6	7	8	9	10

1 is Minimal Confidence, 10 is Highly Confident

Your organization has a security policy in place when vetting suppliers/vendors and is able to produce this report at a moment’s notice?

Your organization has an IT indecent management procedure in place (e.g., ransomware attack) and is able to produce the documented procedure at a moment’s notice?*

Your organization has a business continuity plan (BCP) in place and has been tested and documented within the last 12 months? *

Your organization has documented monitoring and measurements/thresholds that are evaluated regularly? Example: IT logs are reviewed and significant anomalies are reported to management. *

	1	2	3	4	5	6	7	8	9	10

1 is Minimal Confidence, 10 is Highly Confident

Your organization has documented controls over documents produced and managed both digitally and hard copies and is able to produce this report at a moment’s notice?*

Approximately how many employees and contractors are in your organization?*

How many locations/offices does your organization have? *

Country - Base of Operations*

Other countries operating in:

List all that apply

Regarding ISO/IEC 27001 (2013 Revision) are you looking to accomplish (check all that apply):*

ISO/IEC 27001 ComplianceISO/IEC 27001 Audit and CertificationOther

Please provide any other questions/comments:

Contact Information: Only the First Name is required. All other fields are optional for confidentiality.

Name*

First name only is fine if communication has already been established

Email

example@example.com

Phone Number

Area CodePhone Number