Let’s continue with the discussion we started in last week’s blog about creating a score key for your experts.

Once your score key is ready, prepare one questionnaire for each expert. Start by turning each control into a question. Start the question with “How well…?”

Let me show you how this works. Here’s an original control from the NIST cybersecurity framework:

“The development and testing environments are separate from the production environment”

Now, here’s the control written as a question that begins with. How well…?

“How well are the development and testing environments separated from the production environment?”

Here’s what a questionnaire for an expert would look like:

In this example, I’ve list one control from each of the five main functions of the NST cybersecurity framework. Noticed I’ve color-coded the functions without using red, yellow, or green since those colors have implied meaning and would likely cause confusion unless they were associated with a score.

Next week, I’ll describe how to get ready to collect scores from your experts.


Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.

Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.

Leave a Reply

four × two =