Information Security Maturity Assessment

1. Does your organisation have a documented information security policy that is reviewed at least annually?

2. How does your organisation identify and assess information security risks?

3. Is there a named person or function responsible for information security in your organisation?

4. How is information security addressed at senior management level?

5. Does your organisation maintain an up-to-date inventory of information assets (systems, data, services)?

6. How are user access rights managed when employees join, move roles, or leave?

7. Is multi-factor authentication (MFA) used for critical systems and remote access?

8. How does your organisation handle third-party and supplier access to your systems or data?

9. How does your organisation manage software vulnerabilities and security patches?

10. Does your organisation monitor its systems for security events and anomalies?

11. How is network security managed (segmentation, firewalls, endpoint protection)?

12. Is your staff regularly trained to recognise phishing, social engineering, and cybersecurity threats?

13. Does your organisation have a documented incident response plan for cybersecurity events?

14. Are you aware of and prepared to meet the ZInfV-1 / NIS2 72-hour incident notification requirement to SI-CERT / AKOS?

15. Are data backups in place, tested, and protected against ransomware (e.g. offline or immutable copies)?

16. Does a Business Continuity Plan (BCP) cover scenarios involving a major cyber incident?

17. Has your organisation formally determined whether it falls under ZInfV-1 as an essential or important entity?

18. Are internal security audits or reviews conducted to check the effectiveness of controls?

19. How does your organisation manage personal data protection (GDPR / ZVOP-3) in relation to information security?

20. Is there a formal process to track, implement, and verify improvements following audits, incidents, or risk assessments?