{"id":1263,"date":"2026-03-10T14:09:56","date_gmt":"2026-03-10T14:09:56","guid":{"rendered":"https:\/\/nimbis.si\/?page_id=1263"},"modified":"2026-03-10T14:11:39","modified_gmt":"2026-03-10T14:11:39","slug":"en-information-security-maturity-assessment","status":"publish","type":"page","link":"https:\/\/nimbis.si\/en\/en-information-security-maturity-assessment\/","title":{"rendered":"Information Security Maturity Assessment"},"content":{"rendered":"\n<style>\n  :root {\n    --ink: rgb(41, 53, 64);\n    --paper: conic-gradient(from 45deg at center,#222f3a 0%,#293540 12%,#344554 25%,#293540 37%,#222f3a 50%,#293540 62%,#344554 75%,#293540 87%,#222f3a 100%)!important;\n    --accent: #00B6ED;\n    --accent-light: hsl(from #00B6ED h s l \/ 0.1);\n    --gold: #b89650;\n    --muted: #6b7280;\n    --border: rgba(255,255,255,0.12);\n    --green: #2d6a4f;\n    --amber: #b45309;\n    --red: #991b1b;\n    --card: #2c3a47;\n  }\n\n  * { box-sizing: border-box; margin: 0; padding: 0; }\n\n  body {\n    font-family: 'Roboto', sans-serif;\n    background: var(--paper);\n    color: var(--ink);\n    min-height: 100vh;\n    font-size: 16px;\n    line-height: 1.6;\n  }\n\n  \/* \u2500\u2500 HEADER \u2500\u2500 *\/\n  .header.assessment {\n    background: var(--ink);\n    color: var(--paper);\n    padding: 2em;\n    text-align: center;\n    position: relative;\n    overflow: hidden;\n    box-shadow: rgba(0, 0, 0, 0.3) 0px 2px 18px 0px;\n}\n  .header.assessment::before {\n    content: '';\n    position: absolute;\n    inset: 0;\n    background: repeating-linear-gradient(\n      45deg,\n      transparent,\n      transparent 40px,\n      rgba(200,64,26,0.04) 40px,\n      rgba(200,64,26,0.04) 41px\n    );\n  }\n  .header-eyebrow {\n    font-family: 'DM Mono', monospace;\n    font-size: 0.7rem;\n    letter-spacing: 0.2em;\n    text-transform: uppercase;\n    color: var(--accent);\n    margin-bottom: 0.8rem;\n  }\n  .header.assessment h1 {\n    font-family: 'Roboto', sans-serif;\n    font-size: 2.5em;\n    font-weight: 700;\n    color: #fff;\n    line-height: 1.2;\n    margin-bottom: 0.7rem;\n  }\n  .header.assessment p {\n    color: #a0aab4;\n    font-size: 0.92rem;\n    font-weight: 300;\n    max-width: 560px;\n    margin: 0 auto;\n  }\n  .badge-row {\n    display: flex;\n    justify-content: center;\n    gap: 0.6rem;\n    margin-top: 1.2rem;\n    flex-wrap: wrap;\n  }\n  .badge {\n    font-family: 'DM Mono', monospace;\n    font-size: 0.62rem;\n    letter-spacing: 0.12em;\n    padding: 0.25rem 0.7rem;\n    border: 1px solid var(--accent);\n    color: var(--accent);\n    border-radius: 2px;\n  }\n\n  \/* \u2500\u2500 INTRO \u2500\u2500 *\/\n  .intro-bar {\n    background: var(--accent-light);\n    border-left: 4px solid var(--accent);\n    padding: 1rem 1.5rem;\n    margin: 1.8rem auto;\n    max-width: 820px;\n    font-size: 0.88rem;\n    color: white;\n    border-radius: 0 4px 4px 0;\n  }\n  .intro-bar strong { color: var(--accent); }\n\n  \/* \u2500\u2500 WRAPPER \u2500\u2500 *\/\n  .wrapper {\n    max-width: 820px;\n    margin: 0 auto;\n    padding: 0 1.2rem 4rem;\n  }\n\n  \/* \u2500\u2500 SECTION LABEL \u2500\u2500 *\/\n  .section-label {\n    display: flex;\n    align-items: center;\n    gap: 0.8rem;\n    margin: 2.4rem 0 1rem;\n  }\n  .section-number {\n    font-family: 'DM Mono', monospace;\n    font-size: 0.65rem;\n    color: white;\n    border-radius: 2px;\n    letter-spacing: 0.08em;\n    flex-shrink: 0;\n  }\n  .section-title {\n    font-family: 'Roboto', sans-serif;\n    font-size: 1.2rem;\n    font-weight: 600;\n    color: white;\n  }\n  .section-line {\n    flex: 1;\n    height: 1px;\n    background: var(--border);\n  }\n\n  \/* \u2500\u2500 QUESTION CARD \u2500\u2500 *\/\n  .q-card {\n    background: var(--card);\n    border: 1px solid var(--border);\n    border-radius: 10px;\n    padding: 1.2rem 1.4rem;\n    margin-bottom: 1rem;\n    transition: border-color 0.2s;\n    box-shadow: 0px 2px 5px 0px rgba(0,0,0,0.3);\n  }\n  .q-card:hover { border-color: var(--accent); }\n  .q-text {\n    font-size: 0.92rem;\n    font-weight: 500;\n    margin-bottom: 0.9rem;\n    line-height: 1.5;\n    color: white;\n  }\n  .q-num {\n    font-family: 'DM Mono', monospace;\n    font-size: 0.7rem;\n    color: var(--accent);\n    margin-right: 0.4rem;\n  }\n  .options {\n    display: grid;\n    gap: 0.45rem;\n  }\n  .option-label {\n    display: flex;\n    align-items: flex-start;\n    gap: 0.7rem;\n    cursor: pointer;\n    padding: 0.55rem 0.8rem;\n    border-radius: 4px;\n    border: 1px solid var(--border);\n    font-size: 0.84rem;\n    transition: background 0.15s, border-color 0.15s;\n    line-height: 1.4;\n    color: white;\n  }\n  .option-label:hover { border-color: var(--accent); }\n  .option-label input { display: none; }\n  .option-label.selected {\n    border-color: var(--accent);\n  }\n  .opt-dot {\n    width: 18px;\n    height: 18px;\n    border-radius: 50%;\n    border: 2px solid var(--border);\n    flex-shrink: 0;\n    margin-top: 1px;\n    display: flex;\n    align-items: center;\n    justify-content: center;\n    transition: border-color 0.15s, background 0.15s;\n  }\n  .option-label.selected .opt-dot {\n    border-color: var(--accent);\n    background: var(--accent);\n  }\n  .opt-dot::after {\n    content: '';\n    width: 7px;\n    height: 7px;\n    border-radius: 50%;\n    background: white;\n    display: none;\n  }\n  .option-label.selected .opt-dot::after { display: block; }\n  .score-hint {\n    font-family: 'DM Mono', monospace;\n    font-size: 0.62rem;\n    color: var(--muted);\n    margin-left: auto;\n    flex-shrink: 0;\n    padding-left: 0.5rem;\n  }\n\n  \/* \u2500\u2500 SUBMIT \u2500\u2500 *\/\n  .submit-area {\n    margin-top: 2.5rem;\n    text-align: center;\n  }\n  .progress-label {\n    font-family: 'DM Mono', monospace;\n    font-size: 0.72rem;\n    color: var(--muted);\n    margin-bottom: 0.6rem;\n  }\n  .progress-bar {\n    width: 100%;\n    height: 4px;\n    background: var(--border);\n    border-radius: 4px;\n    margin-bottom: 1.5rem;\n    overflow: hidden;\n  }\n  .progress-fill {\n    height: 100%;\n    background: linear-gradient(90deg, var(--accent), var(--gold));\n    border-radius: 4px;\n    transition: width 0.4s ease;\n    width: 0%;\n  }\n  .btn-submit {\n    background: var(--accent);\n    color: white;\n    border: none;\n    padding: 1em 2em;\n    font-family: 'Roboto', sans-serif;\n    font-size: 1em;\n    font-weight: 500;\n    border-radius: 4px;\n    cursor: pointer;\n    transition: background 0.2s, transform 0.1s;\n  }\n  .btn-submit:hover { transform: translateY(-1px); }\n  .btn-submit:active { transform: translateY(0); }\n\n  \/* \u2500\u2500 RESULTS \u2500\u2500 *\/\n  #results { display: none; }\n  .result-header {\n    text-align: center;\n    padding: 2.5rem 1rem 2rem;\n    background: var(--card);\n    border: 1px solid var(--border);\n    border-radius: 8px;\n    margin-top: 1.5rem;\n  }\n  .result-level-tag {\n    font-family: 'DM Mono', monospace;\n    font-size: 0.68rem;\n    letter-spacing: 0.18em;\n    text-transform: uppercase;\n    margin-bottom: 0.5rem;\n  }\n  .result-score-big {\n    font-family: 'Roboto', sans-serif;\n    font-size: 4em;\n    font-weight: 700;\n    line-height: 1;\n    margin: 0.3rem 0;\n    color: white;\n  }\n  .result-label {\n    font-family: 'Roboto', sans-serif;\n    font-size: 1.2em;\n    font-weight: 600;\n    margin-bottom: 0.8rem;\n    color: white;\n  }\n  .result-desc {\n    font-size: 0.9rem;\n    color: var(--muted);\n    max-width: 520px;\n    margin: 0 auto 1.2rem;\n    line-height: 1.6;\n  }\n  .score-meter {\n    max-width: 340px;\n    margin: 1rem auto 0;\n  }\n  .meter-track {\n    height: 10px;\n    background: #e8e4dc;\n    border-radius: 10px;\n    overflow: hidden;\n    margin-bottom: 0.3rem;\n  }\n  .meter-fill {\n    height: 100%;\n    border-radius: 10px;\n    transition: width 1.2s cubic-bezier(0.23, 1, 0.32, 1);\n  }\n  .meter-labels {\n    display: flex;\n    justify-content: space-between;\n    font-family: 'DM Mono', monospace;\n    font-size: 0.6rem;\n    color: white;\n  }\n\n  \/* domain breakdown *\/\n  .breakdown-grid {\n    display: grid;\n    grid-template-columns: repeat(auto-fill, minmax(230px, 1fr));\n    gap: 1rem;\n    margin-top: 1.8rem;\n  }\n  .domain-card {\n    background: var(--card);\n    border: 1px solid var(--border);\n    border-radius: 6px;\n    padding: 1rem 1.2rem;\n  }\n  .domain-name {\n    font-size: 0.78rem;\n    font-weight: 500;\n    margin-bottom: 0.5rem;\n    color: white;\n  }\n  .domain-bar-wrap {\n    height: 6px;\n    background: #e8e4dc;\n    border-radius: 6px;\n    overflow: hidden;\n    margin-bottom: 0.35rem;\n  }\n  .domain-bar { height: 100%; border-radius: 6px; }\n  .domain-pct {\n    font-family: 'DM Mono', monospace;\n    font-size: 0.68rem;\n    color: var(--muted);\n  }\n\n  \/* finding cards *\/\n  .findings-title {\n    font-family: 'Roboto', sans-serif;\n    font-size: 1.1rem;\n    margin: 2.5rem 0 1rem;\n    padding-bottom: 0.5rem;\n    border-bottom: 1px solid var(--border);\n  }\n  .finding-card {\n    background: var(--card);\n    border: 1px solid var(--border);\n    border-left: 4px solid;\n    border-radius: 0 6px 6px 0;\n    padding: 1rem 1.2rem;\n    margin-bottom: 0.9rem;\n    font-size: 0.85rem;\n    line-height: 1.6;\n    color: var(--muted);\n  }\n  .finding-card strong {\n    display: block;\n    font-weight: 600;\n    margin-bottom: 0.3rem;\n    font-size: 0.88rem;\n    color: white;\n  }\n\n  \/* CTA *\/\n  .cta-box {\n    background: var(--ink);\n    color: var(--paper);\n    border-radius: 10px;\n    padding: 2rem 2rem;\n    margin-top: 2.5rem;\n    text-align: center;\n    border: 1px solid var(--border);\n    box-shadow: 0px 2px 5px 0px rgba(0,0,0,0.3);\n  }\n  .cta-box h3 {\n    font-family: 'Roboto', sans-serif;\n    font-size: 1.5em;\n    margin-bottom: 0.7rem;\n    color: #fff;\n  }\n  .cta-box p {\n    font-size: 0.87rem;\n    color: #9aabba;\n    max-width: 480px;\n    margin: 0 auto 1.4rem;\n    line-height: 1.6;\n  }\n  .btn-cta {\n    display: inline-block;\n    background: var(--accent);\n    color: #fff;\n    padding: 0.85rem 2rem;\n    margin-bottom: 1em;\n    border-radius: 4px;\n    font-size: 0.88rem;\n    font-weight: 500;\n    text-decoration: none;\n    letter-spacing: 0.03em;\n    transition: background 0.2s;\n  }\n  .btn-cta:hover { background: #a83315; }\n  .cta-legal {\n    font-size: 0.72rem;\n    color: #6b7d8a;\n    margin-top: 0.8rem;\n  }\n\n  \/* util *\/\n  .hidden { display: none !important; }\n  .text-green { color: var(--green); }\n  .text-amber { color: var(--amber); }\n  .text-red   { color: var(--red);   }\n  .bg-green   { background: var(--green); }\n  .bg-amber   { background: var(--amber); }\n  .bg-red     { background: var(--red);   }\n  .border-green { border-left-color: var(--green); }\n  .border-amber { border-left-color: var(--amber); }\n  .border-red   { border-left-color: var(--red);   }\n\n  @media (max-width: 600px) {\n    .section-title { font-size: 1rem; }\n    .result-score-big { font-size: 3rem; }\n    .cta-box { padding: 1.5rem 1.2rem; }\n  }\n<\/style>\n\n<div class=\"header assessment\">\n  <p class=\"header-eyebrow\">Complimentary Self-Assessment<\/p>\n  <h1>Information Security Maturity Assessment<\/h1>\n  <p>A structured diagnostic for organisations operating under Slovenian and EU cybersecurity obligations<\/p>\n  <div class=\"badge-row\">\n    <span class=\"badge\">NIS2 Directive<\/span>\n    <span class=\"badge\">ZInfV-1<\/span>\n    <span class=\"badge\">ISO\/IEC 27001:2022<\/span>\n    <span class=\"badge\">DORA-aware<\/span>\n  <\/div>\n<\/div>\n\n<div class=\"wrapper\">\n\n  <div class=\"intro-bar\">\n    <strong>How this works:<\/strong> Answer 20 questions across 5 domains. Each question has four options worth 0\u20133 points. Your total (max 60) maps to one of four maturity levels. Be honest \u2014 the more accurate your answers, the more useful your results. No answers are sent anywhere; everything runs in your browser.\n  <\/div>\n\n  <div id=\"quiz\">\n\n    <!-- \u2500\u2500 DOMAIN 1 \u2500\u2500 -->\n    <div class=\"section-label\">\n      <span class=\"section-number\">01<\/span>\n      <span class=\"section-title\">Governance &amp; Risk Management<\/span>\n      <span class=\"section-line\"><\/span>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"0\">\n      <p class=\"q-text\"><span class=\"q-num\">1.<\/span> Does your organisation have a documented information security policy that is reviewed at least annually?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q1\" value=\"0\"><span class=\"opt-dot\"><\/span>We have no formal policy.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q1\" value=\"1\"><span class=\"opt-dot\"><\/span>A policy exists but is outdated or rarely consulted.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q1\" value=\"2\"><span class=\"opt-dot\"><\/span>A current policy exists and has been communicated to staff.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q1\" value=\"3\"><span class=\"opt-dot\"><\/span>Policy is current, reviewed annually, approved by management, and integrated into operations.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"0\">\n      <p class=\"q-text\"><span class=\"q-num\">2.<\/span> How does your organisation identify and assess information security risks?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q2\" value=\"0\"><span class=\"opt-dot\"><\/span>Risks are not formally assessed.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q2\" value=\"1\"><span class=\"opt-dot\"><\/span>Risk assessment happens informally or only after an incident.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q2\" value=\"2\"><span class=\"opt-dot\"><\/span>We conduct periodic risk assessments with documented results.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q2\" value=\"3\"><span class=\"opt-dot\"><\/span>Risk assessments are systematic, risk-appetite-driven, and feed into a formal treatment plan reviewed by management.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"0\">\n      <p class=\"q-text\"><span class=\"q-num\">3.<\/span> Is there a named person or function responsible for information security in your organisation?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q3\" value=\"0\"><span class=\"opt-dot\"><\/span>No \u2014 everyone assumes someone else handles it.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q3\" value=\"1\"><span class=\"opt-dot\"><\/span>IT manages security informally without a dedicated mandate.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q3\" value=\"2\"><span class=\"opt-dot\"><\/span>A person is designated but has limited authority or resources.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q3\" value=\"3\"><span class=\"opt-dot\"><\/span>A CISO or equivalent role exists with clear mandate, budget, and board-level access.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"0\">\n      <p class=\"q-text\"><span class=\"q-num\">4.<\/span> How is information security addressed at senior management level?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q4\" value=\"0\"><span class=\"opt-dot\"><\/span>Security is not a management agenda item.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q4\" value=\"1\"><span class=\"opt-dot\"><\/span>Management is aware of security only when problems occur.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q4\" value=\"2\"><span class=\"opt-dot\"><\/span>Security is discussed periodically; management approves major decisions.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q4\" value=\"3\"><span class=\"opt-dot\"><\/span>Senior management demonstrates visible leadership, sets objectives, and monitors KPIs for security.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <!-- \u2500\u2500 DOMAIN 2 \u2500\u2500 -->\n    <div class=\"section-label\">\n      <span class=\"section-number\">02<\/span>\n      <span class=\"section-title\">Asset Management &amp; Access Control<\/span>\n      <span class=\"section-line\"><\/span>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"1\">\n      <p class=\"q-text\"><span class=\"q-num\">5.<\/span> Does your organisation maintain an up-to-date inventory of information assets (systems, data, services)?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q5\" value=\"0\"><span class=\"opt-dot\"><\/span>No inventory exists.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q5\" value=\"1\"><span class=\"opt-dot\"><\/span>A partial or informal list exists but is not maintained.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q5\" value=\"2\"><span class=\"opt-dot\"><\/span>An asset register exists and is updated periodically.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q5\" value=\"3\"><span class=\"opt-dot\"><\/span>A comprehensive, classified asset register is maintained with clear ownership and data classifications.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"1\">\n      <p class=\"q-text\"><span class=\"q-num\">6.<\/span> How are user access rights managed when employees join, move roles, or leave?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q6\" value=\"0\"><span class=\"opt-dot\"><\/span>Access is rarely revoked; ex-employees may still have active accounts.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q6\" value=\"1\"><span class=\"opt-dot\"><\/span>Access is adjusted reactively \u2014 often delayed or incomplete.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q6\" value=\"2\"><span class=\"opt-dot\"><\/span>Processes exist for joiner\/mover\/leaver but are not consistently followed.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q6\" value=\"3\"><span class=\"opt-dot\"><\/span>Formal, automated JML processes with regular access reviews and least-privilege enforcement.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"1\">\n      <p class=\"q-text\"><span class=\"q-num\">7.<\/span> Is multi-factor authentication (MFA) used for critical systems and remote access?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q7\" value=\"0\"><span class=\"opt-dot\"><\/span>No \u2014 passwords alone are used everywhere.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q7\" value=\"1\"><span class=\"opt-dot\"><\/span>MFA is used for some systems (e.g. cloud email) but not consistently.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q7\" value=\"2\"><span class=\"opt-dot\"><\/span>MFA is enforced for remote access and most critical systems.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q7\" value=\"3\"><span class=\"opt-dot\"><\/span>MFA is mandatory across all privileged, remote, and critical-system access with phishing-resistant methods used.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"1\">\n      <p class=\"q-text\"><span class=\"q-num\">8.<\/span> How does your organisation handle third-party and supplier access to your systems or data?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q8\" value=\"0\"><span class=\"opt-dot\"><\/span>Third parties have unrestricted or unmonitored access.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q8\" value=\"1\"><span class=\"opt-dot\"><\/span>Third-party access is granted informally with no contracts covering security.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q8\" value=\"2\"><span class=\"opt-dot\"><\/span>Contracts include security clauses; access is limited in scope.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q8\" value=\"3\"><span class=\"opt-dot\"><\/span>Supply chain risk is formally assessed; third-party access is scoped, monitored, and periodically reviewed.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <!-- \u2500\u2500 DOMAIN 3 \u2500\u2500 -->\n    <div class=\"section-label\">\n      <span class=\"section-number\">03<\/span>\n      <span class=\"section-title\">Cyber Threat &amp; Vulnerability Management<\/span>\n      <span class=\"section-line\"><\/span>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"2\">\n      <p class=\"q-text\"><span class=\"q-num\">9.<\/span> How does your organisation manage software vulnerabilities and security patches?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q9\" value=\"0\"><span class=\"opt-dot\"><\/span>Patching happens rarely or only when something breaks.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q9\" value=\"1\"><span class=\"opt-dot\"><\/span>Patches are applied but without a defined schedule or prioritisation.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q9\" value=\"2\"><span class=\"opt-dot\"><\/span>A patching schedule exists; critical patches are applied within a defined window.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q9\" value=\"3\"><span class=\"opt-dot\"><\/span>Vulnerability scanning, risk-based patch prioritisation, and SLA tracking are in place with documented exceptions.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"2\">\n      <p class=\"q-text\"><span class=\"q-num\">10.<\/span> Does your organisation monitor its systems for security events and anomalies?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q10\" value=\"0\"><span class=\"opt-dot\"><\/span>No monitoring \u2014 incidents are discovered by accident.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q10\" value=\"1\"><span class=\"opt-dot\"><\/span>Basic logging exists but is rarely reviewed.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q10\" value=\"2\"><span class=\"opt-dot\"><\/span>Logs are centralised and reviewed periodically; alerts are configured for some events.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q10\" value=\"3\"><span class=\"opt-dot\"><\/span>24\/7 monitoring or SIEM is in place with defined alerting, escalation procedures, and log integrity controls.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"2\">\n      <p class=\"q-text\"><span class=\"q-num\">11.<\/span> How is network security managed (segmentation, firewalls, endpoint protection)?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q11\" value=\"0\"><span class=\"opt-dot\"><\/span>A basic firewall exists; little else is in place.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q11\" value=\"1\"><span class=\"opt-dot\"><\/span>Perimeter defences exist but internal network is flat; endpoint protection is inconsistent.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q11\" value=\"2\"><span class=\"opt-dot\"><\/span>Network segments exist for critical systems; managed endpoint protection is deployed across devices.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q11\" value=\"3\"><span class=\"opt-dot\"><\/span>Zero-trust principles applied; network segmentation, EDR, and web filtering are deployed and regularly reviewed.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"2\">\n      <p class=\"q-text\"><span class=\"q-num\">12.<\/span> Is your staff regularly trained to recognise phishing, social engineering, and cybersecurity threats?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q12\" value=\"0\"><span class=\"opt-dot\"><\/span>No security training is provided.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q12\" value=\"1\"><span class=\"opt-dot\"><\/span>A one-off or onboarding-only awareness session is given.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q12\" value=\"2\"><span class=\"opt-dot\"><\/span>Annual security awareness training with tracking of completion.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q12\" value=\"3\"><span class=\"opt-dot\"><\/span>Continuous training programme including simulated phishing, role-based training, and measured behaviour change.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <!-- \u2500\u2500 DOMAIN 4 \u2500\u2500 -->\n    <div class=\"section-label\">\n      <span class=\"section-number\">04<\/span>\n      <span class=\"section-title\">Incident Response &amp; Business Continuity<\/span>\n      <span class=\"section-line\"><\/span>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"3\">\n      <p class=\"q-text\"><span class=\"q-num\">13.<\/span> Does your organisation have a documented incident response plan for cybersecurity events?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q13\" value=\"0\"><span class=\"opt-dot\"><\/span>No plan \u2014 we would improvise if an incident occurred.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q13\" value=\"1\"><span class=\"opt-dot\"><\/span>Some guidance exists informally, but it is not documented or tested.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q13\" value=\"2\"><span class=\"opt-dot\"><\/span>A documented plan exists with defined roles; it has not been tested recently.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q13\" value=\"3\"><span class=\"opt-dot\"><\/span>A comprehensive IRP is in place, exercised at least annually, with lessons-learned incorporated.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"3\">\n      <p class=\"q-text\"><span class=\"q-num\">14.<\/span> Are you aware of and prepared to meet the ZInfV-1 \/ NIS2 72-hour incident notification requirement to SI-CERT \/ AKOS?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q14\" value=\"0\"><span class=\"opt-dot\"><\/span>We were not aware of this obligation.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q14\" value=\"1\"><span class=\"opt-dot\"><\/span>We know the obligation exists but have no process to meet the deadline.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q14\" value=\"2\"><span class=\"opt-dot\"><\/span>A process exists for notification but has not been rehearsed.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q14\" value=\"3\"><span class=\"opt-dot\"><\/span>A tested, documented notification process exists with designated contacts and template reports ready.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"3\">\n      <p class=\"q-text\"><span class=\"q-num\">15.<\/span> Are data backups in place, tested, and protected against ransomware (e.g. offline or immutable copies)?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q15\" value=\"0\"><span class=\"opt-dot\"><\/span>Backups are inconsistent or not verified.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q15\" value=\"1\"><span class=\"opt-dot\"><\/span>Backups run regularly but are on the same network (accessible to ransomware).<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q15\" value=\"2\"><span class=\"opt-dot\"><\/span>Backups are segregated; restoration is tested occasionally.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q15\" value=\"3\"><span class=\"opt-dot\"><\/span>3-2-1+ backup strategy with immutable\/offline copies, regular recovery tests with documented RTO\/RPO.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"3\">\n      <p class=\"q-text\"><span class=\"q-num\">16.<\/span> Does a Business Continuity Plan (BCP) cover scenarios involving a major cyber incident?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q16\" value=\"0\"><span class=\"opt-dot\"><\/span>No BCP exists.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q16\" value=\"1\"><span class=\"opt-dot\"><\/span>A BCP exists but does not address cyber scenarios explicitly.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q16\" value=\"2\"><span class=\"opt-dot\"><\/span>BCP covers cyber scenarios; it has been reviewed but not fully tested.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q16\" value=\"3\"><span class=\"opt-dot\"><\/span>BCP and DRP are integrated, tested through exercises, with clear crisis communication chains.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <!-- \u2500\u2500 DOMAIN 5 \u2500\u2500 -->\n    <div class=\"section-label\">\n      <span class=\"section-number\">05<\/span>\n      <span class=\"section-title\">Compliance, Audit &amp; Continuous Improvement<\/span>\n      <span class=\"section-line\"><\/span>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"4\">\n      <p class=\"q-text\"><span class=\"q-num\">17.<\/span> Has your organisation formally determined whether it falls under ZInfV-1 as an essential or important entity?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q17\" value=\"0\"><span class=\"opt-dot\"><\/span>We have not assessed our regulatory status under ZInfV-1.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q17\" value=\"1\"><span class=\"opt-dot\"><\/span>We have a rough idea but no formal legal analysis.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q17\" value=\"2\"><span class=\"opt-dot\"><\/span>We have assessed our status; classification is documented but not yet fully acted upon.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q17\" value=\"3\"><span class=\"opt-dot\"><\/span>Legal analysis is complete, entity is registered if required, and obligations are mapped to our ISMS controls.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"4\">\n      <p class=\"q-text\"><span class=\"q-num\">18.<\/span> Are internal security audits or reviews conducted to check the effectiveness of controls?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q18\" value=\"0\"><span class=\"opt-dot\"><\/span>No internal audits are conducted.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q18\" value=\"1\"><span class=\"opt-dot\"><\/span>Informal reviews occur occasionally; no structured audit programme.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q18\" value=\"2\"><span class=\"opt-dot\"><\/span>Periodic audits are conducted with findings tracked.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q18\" value=\"3\"><span class=\"opt-dot\"><\/span>Structured internal audit programme with scope rotation, finding management, and management review integration.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"4\">\n      <p class=\"q-text\"><span class=\"q-num\">19.<\/span> How does your organisation manage personal data protection (GDPR \/ ZVOP-3) in relation to information security?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q19\" value=\"0\"><span class=\"opt-dot\"><\/span>Data protection and security are handled entirely separately with no coordination.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q19\" value=\"1\"><span class=\"opt-dot\"><\/span>GDPR compliance is handled by legal\/HR; security team has little visibility of data flows.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q19\" value=\"2\"><span class=\"opt-dot\"><\/span>Data protection and security work together on key issues; ROPA is maintained.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q19\" value=\"3\"><span class=\"opt-dot\"><\/span>Privacy by design is embedded; DPO and CISO collaborate; security controls are mapped to GDPR obligations.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"q-card\" data-domain=\"4\">\n      <p class=\"q-text\"><span class=\"q-num\">20.<\/span> Is there a formal process to track, implement, and verify improvements following audits, incidents, or risk assessments?<\/p>\n      <div class=\"options\">\n        <label class=\"option-label\"><input type=\"radio\" name=\"q20\" value=\"0\"><span class=\"opt-dot\"><\/span>Improvements are ad hoc \u2014 findings are rarely acted upon formally.<span class=\"score-hint\">0 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q20\" value=\"1\"><span class=\"opt-dot\"><\/span>Action items are noted but tracking is inconsistent.<span class=\"score-hint\">1 pt<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q20\" value=\"2\"><span class=\"opt-dot\"><\/span>A register of corrective actions is maintained and reviewed periodically.<span class=\"score-hint\">2 pts<\/span><\/label>\n        <label class=\"option-label\"><input type=\"radio\" name=\"q20\" value=\"3\"><span class=\"opt-dot\"><\/span>Formal corrective action process with owners, deadlines, verification, and management reporting \u2014 closing the PDCA loop.<span class=\"score-hint\">3 pts<\/span><\/label>\n      <\/div>\n    <\/div>\n\n    <div class=\"submit-area\">\n      <p class=\"progress-label\">Questions answered: <span id=\"answered-count\">0<\/span> \/ 20<\/p>\n      <div class=\"progress-bar\"><div class=\"progress-fill\" id=\"progress-fill\"><\/div><\/div>\n      <button class=\"btn-submit\" onclick=\"submitQuiz()\">Calculate My Maturity Score \u2192<\/button>\n    <\/div>\n\n  <\/div><!-- \/quiz -->\n\n  <!-- \u2550\u2550 RESULTS \u2550\u2550 -->\n  <div id=\"results\">\n\n    <div class=\"result-header\">\n      <p class=\"result-level-tag\" id=\"res-tag\"><\/p>\n      <div class=\"result-score-big\" id=\"res-score\"><\/div>\n      <p style=\"font-family:'Roboto',sans-serif;font-size:1em;color:white;margin-bottom:0.5rem;\">out of 60 points<\/p>\n      <h2 class=\"result-label\" id=\"res-label\"><\/h2>\n      <p class=\"result-desc\" id=\"res-desc\"><\/p>\n      <div class=\"score-meter\">\n        <div class=\"meter-track\"><div class=\"meter-fill\" id=\"res-meter\"><\/div><\/div>\n        <div class=\"meter-labels\"><span>Initial<\/span><span>Developing<\/span><span>Established<\/span><span>Optimised<\/span><\/div>\n      <\/div>\n    <\/div>\n\n    <div class=\"breakdown-grid\" id=\"domain-breakdown\"><\/div>\n\n    <h3 class=\"findings-title\">Key Observations &amp; Priority Areas<\/h3>\n    <div id=\"findings-list\"><\/div>\n\n    <div class=\"cta-box\">\n      <h3>Ready to close the gaps?<\/h3>\n      <p>This assessment gives you a directional picture. A full diagnostic \u2014 including a clause-by-clause ZInfV-1 gap analysis, ISO 27001 control mapping, and a prioritised remediation roadmap \u2014 requires an expert pair of eyes. Let&#8217;s talk.<\/p>\n      <a href=\"mailto:info@nimbis.si?subject=NIS2%20%2F%20ZInfV-1%20Compliance%20Enquiry\" class=\"btn-cta\">Book a Free 30-Minute Consultation<\/a>\n      <p class=\"cta-legal\">No obligation. Strictly confidential. Slovenian and EU clients welcome.<\/p>\n    <\/div>\n\n    <div style=\"margin-top:1.8rem;text-align:center;\">\n      <button class=\"btn-submit\" onclick=\"resetQuiz()\" style=\"background:var(--muted);\">\u2190 Retake Assessment<\/button>\n    <\/div>\n\n  <\/div><!-- \/results -->\n\n<\/div><!-- \/wrapper -->\n\n<script>\n  const DOMAINS = [\n    'Governance & Risk Management',\n    'Asset Mgmt & Access Control',\n    'Cyber Threat & Vuln. Mgmt',\n    'Incident Response & BCP',\n    'Compliance & Improvement'\n  ];\n\n  const LEVELS = [\n    { min: 0,  max: 14, tag: 'LEVEL 1 \u2014 INITIAL',    label: 'Initial \/ Ad Hoc',     color: 'red',   desc: 'Your organisation\\'s information security is largely reactive and undocumented. Significant gaps exist across governance, technical controls, and compliance. Under ZInfV-1 and NIS2, essential and important entities at this level face material regulatory and operational risk. Structured intervention is needed urgently.' },\n    { min: 15, max: 29, tag: 'LEVEL 2 \u2014 DEVELOPING',  label: 'Developing',           color: 'amber', desc: 'Some security foundations are in place, but coverage is uneven and processes are inconsistent. You likely meet some NIS2\/ZInfV-1 requirements informally, but could not demonstrate compliance to a regulator. Prioritised, structured improvement will close the most critical gaps efficiently.' },\n    { min: 30, max: 44, tag: 'LEVEL 3 \u2014 ESTABLISHED', label: 'Established',          color: 'gold',  desc: 'Your organisation has documented, functioning security controls across most domains. You are in a reasonable position relative to ZInfV-1 obligations, though gaps likely remain in monitoring, supply chain, or incident response testing. A formal ISMS implementation will consolidate and evidence your compliance posture.' },\n    { min: 45, max: 60, tag: 'LEVEL 4 \u2014 OPTIMISED',   label: 'Optimised \/ Leading',  color: 'green', desc: 'Your security programme is mature, evidence-based, and well-integrated into operations. You are well-positioned for ZInfV-1 \/ NIS2 compliance. Focus should be on continuous improvement, supply chain assurance, and keeping pace with the evolving threat landscape. Consider third-party assessment or ISO 27001 certification to validate your posture externally.' }\n  ];\n\n  const DOMAIN_FINDINGS = [\n    { \/\/ Governance\n      low:  { title: 'Governance: No Clear Ownership', text: 'Without assigned security responsibility and management commitment, no other control can be sustained. Establishing a security mandate is the critical first step.' },\n      mid:  { title: 'Governance: Policy & Risk Gaps', text: 'Formalise your risk assessment process and ensure the information security policy reflects current threats and regulatory obligations under ZInfV-1.' },\n      high: { title: 'Governance: Strong Foundation', text: 'Governance is solid. Ensure management reviews formally close the ISO 27001 loop and that risk appetite is explicitly documented and board-approved.' }\n    },\n    { \/\/ Asset & Access\n      low:  { title: 'Access Control: High Exposure Risk', text: 'Unknown assets and unmanaged access rights are among the most common breach vectors. Implement an asset register and enforce MFA immediately.' },\n      mid:  { title: 'Access Control: Inconsistent Controls', text: 'Tighten your joiner\/mover\/leaver process and extend MFA across all critical and remote access points. Supply chain access requires formal review.' },\n      high: { title: 'Access Control: Well Managed', text: 'Access hygiene is good. Consider maturing toward continuous access certification and zero-trust architecture for privileged access.' }\n    },\n    { \/\/ Threats\n      low:  { title: 'Threat Detection: Blind Spots', text: 'Without monitoring or regular patching, your organisation will not detect an intrusion until significant damage has occurred. A vulnerability management programme is critical.' },\n      mid:  { title: 'Threat Detection: Gaps in Coverage', text: 'Security awareness and log monitoring need to be formalised. Simulated phishing tests and a SIEM or managed SOC service would substantially reduce your exposure.' },\n      high: { title: 'Threat Detection: Good Visibility', text: 'Detection capabilities are mature. Review threat intelligence sources and consider purple-teaming or penetration testing to validate your controls under realistic conditions.' }\n    },\n    { \/\/ Incident\n      low:  { title: 'Incident Response: Unready', text: 'Without a tested IRP, your organisation cannot meet the 72-hour notification window required by ZInfV-1 and NIS2. Backups and a basic response plan should be prioritised immediately.' },\n      mid:  { title: 'Incident Response: Partially Prepared', text: 'Plans exist but are untested. Schedule a tabletop exercise to validate your notification process and ensure recovery time objectives are achievable.' },\n      high: { title: 'Incident Response: Well Prepared', text: 'Response capabilities are strong. Consider integrating cyber scenarios into BCP exercises and reviewing your supply chain incident notification obligations.' }\n    },\n    { \/\/ Compliance\n      low:  { title: 'Compliance: Significant Regulatory Exposure', text: 'ZInfV-1 carries fines of up to \u20ac10M or 2% of annual turnover for essential entities. Determining your classification and mapping obligations to controls should begin immediately.' },\n      mid:  { title: 'Compliance: Partially Mapped', text: 'Formalise your internal audit programme and ensure GDPR\/ZVOP-3 obligations are integrated with security controls \u2014 regulators increasingly assess these together.' },\n      high: { title: 'Compliance: Strong Assurance Culture', text: 'Compliance is embedded. Consider pursuing ISO 27001 certification to provide external, auditable evidence of your ISMS maturity to regulators and clients alike.' }\n    }\n  ];\n\n  \/\/ Track selections\n  function updateProgress() {\n    let answered = 0;\n    for (let i = 1; i <= 20; i++) {\n      if (document.querySelector(`input[name=\"q${i}\"]:checked`)) answered++;\n    }\n    document.getElementById('answered-count').textContent = answered;\n    document.getElementById('progress-fill').style.width = (answered \/ 20 * 100) + '%';\n  }\n\n  document.querySelectorAll('.option-label input').forEach(input => {\n    input.addEventListener('change', function() {\n      \/\/ Deselect siblings\n      document.querySelectorAll(`input[name=\"${this.name}\"]`).forEach(r => {\n        r.closest('.option-label').classList.remove('selected');\n      });\n      this.closest('.option-label').classList.add('selected');\n      updateProgress();\n    });\n  });\n\n  function submitQuiz() {\n    \/\/ Check all answered\n    let missing = [];\n    for (let i = 1; i <= 20; i++) {\n      if (!document.querySelector(`input[name=\"q${i}\"]:checked`)) missing.push(i);\n    }\n    if (missing.length > 0) {\n      alert(`Please answer all questions before submitting. Missing: Q${missing.join(', Q')}`);\n      return;\n    }\n\n    \/\/ Calculate scores\n    let total = 0;\n    let domainScores = [0, 0, 0, 0, 0];\n    for (let i = 1; i <= 20; i++) {\n      const val = parseInt(document.querySelector(`input[name=\"q${i}\"]:checked`).value);\n      total += val;\n      const domain = parseInt(document.querySelector(`input[name=\"q${i}\"]`).closest('.q-card').dataset.domain);\n      domainScores[domain] += val;\n    }\n\n    \/\/ Show results\n    document.getElementById('quiz').style.display = 'none';\n    document.getElementById('results').style.display = 'block';\n\n    const level = LEVELS.find(l => total >= l.min && total <= l.max);\n    document.getElementById('res-tag').textContent = level.tag;\n    document.getElementById('res-tag').className = 'result-level-tag text-' + level.color;\n    document.getElementById('res-score').textContent = total;\n    document.getElementById('res-score').className = 'result-score-big text-' + level.color;\n    document.getElementById('res-label').textContent = level.label;\n    document.getElementById('res-desc').textContent = level.desc;\n\n    const meter = document.getElementById('res-meter');\n    meter.className = 'meter-fill bg-' + level.color;\n    if (total == 0) total = 6\n    setTimeout(() => { meter.style.width = (total \/ 60 * 100) + '%'; }, 100);\n\n    \/\/ Domain breakdown\n    const breakdownEl = document.getElementById('domain-breakdown');\n    breakdownEl.innerHTML = '';\n    domainScores.forEach((score, i) => {\n      const pct = Math.round(score \/ 12 * 100);\n      let bColor = pct >= 67 ? 'var(--green)' : pct >= 34 ? 'var(--amber)' : 'var(--red)';\n      breakdownEl.innerHTML += `\n        <div class=\"domain-card\">\n          <p class=\"domain-name\">${DOMAINS[i]}<\/p>\n          <div class=\"domain-bar-wrap\"><div class=\"domain-bar\" style=\"width:${pct == 0 ? 10 : pct}%;background:${bColor}\"><\/div><\/div>\n          <p class=\"domain-pct\">${score} \/ 12 pts &nbsp;\u00b7&nbsp; ${pct}%<\/p>\n        <\/div>`;\n    });\n\n    \/\/ Findings\n    const findingsEl = document.getElementById('findings-list');\n    findingsEl.innerHTML = '';\n    domainScores.forEach((score, i) => {\n      const pct = score \/ 12;\n      const finding = pct < 0.34 ? DOMAIN_FINDINGS[i].low : pct < 0.67 ? DOMAIN_FINDINGS[i].mid : DOMAIN_FINDINGS[i].high;\n      const cls = pct < 0.34 ? 'border-red' : pct < 0.67 ? 'border-amber' : 'border-green';\n      findingsEl.innerHTML += `\n        <div class=\"finding-card ${cls}\">\n          <strong>${finding.title}<\/strong>\n          ${finding.text}\n        <\/div>`;\n    });\n\n    window.scrollTo({ top: 0, behavior: 'smooth' });\n  }\n\n  function resetQuiz() {\n    document.querySelectorAll('input[type=\"radio\"]').forEach(r => { r.checked = false; });\n    document.querySelectorAll('.option-label').forEach(l => { l.classList.remove('selected'); });\n    document.getElementById('answered-count').textContent = '0';\n    document.getElementById('progress-fill').style.width = '0%';\n    document.getElementById('quiz').style.display = 'block';\n    document.getElementById('results').style.display = 'none';\n    window.scrollTo({ top: 0, behavior: 'smooth' });\n  }\n<\/script>\n","protected":false},"excerpt":{"rendered":"<p>Complimentary Self-Assessment Information Security Maturity Assessment A structured diagnostic for organisations operating under Slovenian and EU cybersecurity obligations NIS2 Directive ZInfV-1 ISO\/IEC 27001:2022 DORA-aware How this works: Answer 20 questions across 5 domains. Each question has four options worth 0\u20133 points. Your total (max 60) maps to one of four maturity levels. Be honest \u2014 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-1263","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/pages\/1263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/comments?post=1263"}],"version-history":[{"count":1,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/pages\/1263\/revisions"}],"predecessor-version":[{"id":1264,"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/pages\/1263\/revisions\/1264"}],"wp:attachment":[{"href":"https:\/\/nimbis.si\/en\/wp-json\/wp\/v2\/media?parent=1263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}