This assessment is based on the NIST Cybersecurity Framework (CSF). It has been modified to give a comprehensive maturity rating for an organization. 

The NIST CSF is separated into 5 functions:

• Identify
• Protect
• Detect
• Respond
• Recover

Each Function is broken down into categories:

Identify

• Asset Management(ID.AM)
• Business Environment (ID.BE)
• Governance (ID.GV)
• Risk Assessment (ID.RA)
• Risk Management Strategy (ID.RM)       

Protect

• Access Control (PR.AC)
• Awareness and Training (PR.AT)
• Data Security (PR.DS)
• Information Protection Processes and Procedures (PR.IP)
• Maintenance (PR.MA)
• Protective Technology (PR.PT)

Detect

• Anomalies and Events (DE.AE)
• Security Continuous Monitoring (DE.CM)
• Detection Processes (DE.DP) 

Respond

• Response Planning (RS.RP)
• Communications (RS.CO)
• Analysis (RS.AN)
• Mitigation (RS.MI)
• Improvements (RS.IM) 

Recover

• Recovery Planning (RC.RP)
• Improvements (RC.IM)
• Communications (RC.CO)

Instructions for use:

To use the assessment, answer each question with the level of compliance that matches the posture of your organization. 

Each question contains the main question, and often several explanatory sub-questions. The sub-questions are for your consideration when deciding on your response.

Interpreting the answers

Each answer is categorized as to the level of compliance with the controls the question embodies, from “Don't Comply” to “Completely Comply”.

Once a question is answered with the level of compliance your organization is currently achieving, the assessment gives a rating and recommendations on how to raise your level of compliance to the next level.