Let’s continue with the discussion we started in last week’s blog about creating a score key for your experts.
Once your score key is ready, prepare one questionnaire for each expert. Start by turning each control into a question. Start the question with “How well…?”
Let me show you how this works. Here’s an original control from the NIST cybersecurity framework:
“The development and testing environments are separate from the production environment”
Now, here’s the control written as a question that begins with. How well…?
“How well are the development and testing environments separated from the production environment?”
Here’s what a questionnaire for an expert would look like:
In this example, I’ve list one control from each of the five main functions of the NST cybersecurity framework. Noticed I’ve color-coded the functions without using red, yellow, or green since those colors have implied meaning and would likely cause confusion unless they were associated with a score.
Next week, I’ll describe how to get ready to collect scores from your experts.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.