Information Security Management Questionnaire (Certification as ...

The purpose of this questionnaire is to collate information within the
scope of the project meeting in order to prepare a quotation and assist the
certification body in contract review. It forms part of the audit
documentation. The statements will be verified during audit stage 1.
Company details
Corporate entity (headquarters): Address: Contact: Phone: Extension: Fax: e-Mail: Legal status: Group or Corporate affiliation: Branch offices/representations/subsidiaries: (if applicable with address) > Site 1: Address: > Site 2: Address: > Site 3: Address: Details of the organization
1 To what business category does the company belong to?
(Please tick where appropriate, explain if necessary) The company (the sector to be certified) belongs to o (10) Financial services (banks, insurance company etc.)
o (20) IT-Development/-services, Telecoms (SW-/System houses, HW-
Production, IT-Consulting, Net-Provider, etc.)
o (30) Healthcare and Education (hospitals, schools, etc.)
o (40) Public/ Governmental Institutions (public authority, civil
service, military agency etc.)
o (50) Automotive/Aerospace (automotive manufacturer/-supplier,
aircraft-/aerospace-industry, etc.)
o (60) miscellaneous industry 2 What significant products are manufactured and/or what services provided?
(If given, explain the relevance of special risks concerning information
security) .
. 3 Details to the number of employees . Total number of employees and contractor staff:
(Whole group or corporation including HQ and all sites)
. Effective number of employees falling within the scope of the ISMS: 4 Description of the intended scope
Formulation and if necessary explanation of the scope: 5 Management systems The organization/site/unit has already established other management
systems: o Quality system as per ISO 9001:2008: o When certified?
o By whom?
o Scope of application? o IT-Service management system as per ISO 20000-1: o When certified?
o By whom?
o Scope of application? Type and documentation of the ISM system The ISM system (incl. documentation) is o an independent management system (MS) without interfaces to other
management systems
o an independent MS including interfaces with other management systems
o completely integrated into existing MS * Date of introduction of the ISMS (version): ISMS responsibility for the ISMS o has been fully and separately regulated on all levels (e.g.
independent ISMS representative)
o to some extent includes supervisory, cross-site functions (e.g. at
operating level)
o is administered at all levels by the persons responsible for the
other MS Access to organizational records The auditor has the following right to access documents: ( all documents can be made available for an off-site review
( most of the documents can be made available for the offsite review,
some can be shown only onsite
( some of the documents cannot be made available because of
confidential or sensitive information
- please explain shortly the reason: Certification of multi-sites The organisation maintains several sites with: ( a central function being responsible for information security IS
( extensive direct responsibility for information security IS
( highly networked information security processes between the sites The Certification is intended to o cover the entire organization
o apply to individual sites only
o apply to individual areas (organizational units) only If appropriate name the sits/areas: Evaluation of the security relevance within the scope |Security relevance |Level |explanation |
|factor | | |
|# users of the |>= 1 Mio |>= 200.000|< 200.000| |
|services of the |( | | | |
|company | |( |( | |
|# servers |>= 200 |>= 20 |< 20 | |
| |( |( |( | |
|# workstations + |>= 300 |>= 50 |< 50 | |
|PC´s and laptops |( |( |( | |
|# application |>= 100 |>= 20 |< 20 | |
|development and |( |( |( | |
|Maintenance staff | | | | |
|degree of |High risks|Significan|No | |
|sensibility of |for |t losses |significan| |
|information |business |but |t impacts | |
| |a/o |without |on the | |
| |clients |risk of |organisati| |
| | |business |on a/o the| |
| |( |discontinu|clients | |
| | |ity |( | |
| | |( | | |
|risk of |Complex |Complex |Simple | |
|products/processes |products /|products /|products /| |
| |processes |processes |processes | |
| |with high |with |with | |
| |security |normal |normal | |
| |needs |security |security | |
| |( |needs |needs | |
| | |( |( | |
|Significance in |Incomplian|Incomplian|Incomplian| |
|legal compliance |ce leads |ce leads |ce leads | |
| |to |to |to | |
| |possible |significan|insignific| |
| |prosecutio|t |ant | |
| |n |financial |financial | |
| |( |penalty or|penalty or| |
| | |goodwill |goodwill | |
| | |damage |damage | |
| | |( |( | |
| | | | | |
|Rate of Changes to |Many |A couple |Only a few| |
|the MS in the last |changes |of changes|changes | |
|period |( | |( | |
| | |( | | |
|percentage of |< 10 |>= 10 |>= 50 | |
|employees performing|( |( |( | |
|simple tasks | | | | |
|complexity of |Only one |Some |Most of | |
|logistics (involving|subsidiary|subsidiary|the | |
|more than one |per |in one |subsidiari| |
|building or location|location |location |es within | |
|in the scope of the |( |( |one | |
|ISMS) | | |location | |
| | | |( | |
|audits performed |At least 1| |none | |
|with interpreter / | | |( | |
|translator |( | | | |
|Extend of outsourced|More than |Between 10|Less than | |
|processes and third |50 % |and 50 % | | |
|party arrangements |( |( |10 % | |
| | | |( | |
Details of quotation Type of quotation: (Please tick if applicable)
o Pre-audit / gap-analysis (if applicable)
o Initial certification
o Transfer audit, Certificate should be transferred:
o Former certification body:
o Date of certificate issue/validity:
o Combined certification with (ISO-Standard):
o Others: o Individual procedure for the site: (Please name):
o Procedure for several sites (Please name):
o by means of sampling (matrix certification)
o by means of auditing of all sites (multi site certification)
Deadlines
Quotation to be submitted by: The following dates have been scheduled . (if applicable) Preliminary audit (Stage 1 / gap-analyse): . Certification audit (Stage 2 Audit) Place/Date Signature of client Place/Date Signature
(alternatively) Signature of sales/ consultant / lead auditor Appendix
1 Miscellaneous information for multiple locations
Only to be completed for multi site or matrix certification. Please give the information for each site separately. Use for each
side one paper.
Please copy this page as often as you need. Name of site: . Total number of employees (this site): . Effective number of employees within the scope of the ISMS: This site is inv