Self-assessment template — How ready are you for Cyber Trust mark?

A. Overview

This self-assessment template is intended for organisations seeking CSA Cyber Trust cybersecurity certification. Organisations shall refer to the “CSA Cybersecurity Certification – Cyber Trust
mark” document for full details on certification.

B. Scoping of Certification and Statement of Scope

The organisation shall determine the scope it intends to submit for certification and develop an appropriate statement of scope to describe the scope of certification.

C. Documents to Prepare for Certification

The typical documents that organisations need to prepare and submit for certification include:
– Scoping statement;
– Organisation chart depicting the business unit(s) within the scope of certification;
– Description of the organisation’s business for context, e.g. products/services offered, profile of customers it supports, industry/sector the organisation belongs to and/or supplies to;
– System and network diagram;
– Inventory listing of devices and/or systems;
– Inventory listing of software and/or services;
– Locations from where the organisation operates or carries out the services that are to be covered as part of the certification; and
– A completed version of this self-assessment template.

For the avoidance of doubt, only the components that fall within the determined scope of certification would be needed.

D. Appointed Certification Bodies

Organisations shall approach any of the certification bodies appointed by CSA to apply for certification.

Organisations shall take note that different certification bodies may charge different certification fees and maintain their respective terms and conditions of service.
Cyber Trust mark — Self-assessment questionnaire

E. Self-Assessment

Step 1 – Inherent Risk-Assessment (“CS Risk Assessment” tab)

Inherent risk refers to the amount of risk faced by the organisation in the absence of taking any cybersecurity measures.

The Cyber Trust risk assessment template is pre-populated with risk scenarios that depict top/common cybersecurity incidents in organisations.

For each risk scenario, assess your organisation’s inherent risk by evaluating the likelihood and impact of these scenarios occurring in your environment.

Example:
Inherent Risk Assessment
Inherent Risk
Risk
Risk Type Risk Scenario Risk Value and
Ref. Likelihood Impact
Category
1 Infrastructure Attacker exploits a Likely (4) Major (5) Critical (20)
vulnerability in an obsolete
operating system used by the
enterprise to host key
application and gain
unauthorised access into the
application.
2 Infrastructure Flooding of network with Likely (4) Serious (4) High (16)
traffic causing disruption or
inaccessibility of computer
systems and network
resources of the enterprise.

Enter a value each for

– Likelihood (See “Annex” tab for description of likelihood values)
– Impact (See “Annex” tab for description of impact values)

The inherent risk category and value will be automatically computed and the heat map reflecting the organisation’s inherent risk is automatically generated in "Results" tab.
The relevant cybersecurity preparedness domains applicable to each risk scenario are listed.

total risks Inherent Risk Heat Map risk types (inherent) total low med med high high critical
critical 6 highly likely 1. Data Breach 5 1 2 2
¾ Likelihood®

high 8 likely 6 6 2. Human Factor 5 2 2 1

medium high 10 possible 1 10 2 3. Infrastructure 5 1 2 2
medium 1 unlikely 4. Physical Security 4 4
low rare 5. Regulatory and Compliance 3 1 1 1
Date: 04/24/2024 minor moderate significant serious major CONFIDENTIAL
6. Supply Chain 3 1 1 1 Page 2 of 74
 Impact  25 1 10 8 6
Cyber Trust mark — Self-assessment questionnaire

total risks Inherent Risk Heat Map risk types (inherent) total low med med high high critical
critical 6 highly likely 1. Data Breach 5 1 2 2

¾ Likelihood®
high 8 likely 6 6 2. Human Factor 5 2 2 1
medium high 10 possible 1 10 2 3. Infrastructure 5 1 2 2
medium 1 unlikely 4. Physical Security 4 4
low rare 5. Regulatory and Compliance 3 1 1 1
minor moderate significant serious major 6. Supply Chain 3 1 1 1
 Impact  25 1 10 8 6

Step 2 – Cybersecurity Preparedness Assessment (“CS Preparedness Questionnaire” tab)

Assess your organisation’s cybersecurity preparedness implementation.
The description of the statements in each cybersecurity preparedness domain are organised in escalating order – the statements start with descriptions of more basic or rudimentary
implementation and increase in the level of involvement or intensity.
For each cybersecurity preparedness statement, start from the top, and indicate
– “Yes”: If the measure described in the statement is implemented in your organisation
– “No”: If the measure described in the statement is not implemented in your organisation
– “Not applicable”: If the measure described in the statement is not applicable

For statements that are “Not applicable”, fill in remarks to explain why this is not applicable.

If you have indicated “Yes”, proceed to the next cybersecurity preparedness statement or tier.

If you have indicated “No”, this provides an indication where your organisation is in terms of the cybersecurity preparedness tier for this domain.

You need not proceed with the subsequent statements for this domain, as the statements are arranged such that they increase in terms of level of involvement or intensity. Proceed to the
next domain and start from the top.

Date: 04/24/2024 CONFIDENTIAL Page 3 of 74

Cyber Trust mark — Self-assessment questionnaire

Example:
Preparedness Organisation Provide justification if
Clause Clause Description Question
Tier Response "Not applicable"
B.1 Domain: Governance
B.1.3 Promoter The organisation has established and Understanding cybersecurity importance: Has Yes
implemented practices to develop the the organisation established and implemented
importance of cybersecurity within its business practices to develop the importance of
context and communicate this to all relevant cybersecurity within its business context and
stakeholders such as employees, customers and communicated to all relevant stakeholders such
partners. as employees, customers and partners?
B.1.4 Performer The organisation has defined and allocated the Define roles and responsibilities: Has the Yes
roles and responsibilities to ensure it is clear on organisation defined and allocated the roles
who will oversee cybersecurity program and responsibilities to ensure it is clear on who
implementation and manage cybersecurity risks will oversee cybersecurity program
within the organisation. implementation and manage cybersecurity risks
within the organisation?

Note that the requirements and recommendations in Cyber Essentials mark are mapped to the “Supporter” and “Practitioner” tiers respectively in Cyber Trust mark. In order to qualify for
Cyber Trust mark, your organisation needs to assess your implementation of Cyber Essentials.

Example:
Under Domain B.7 “Training and awareness”, clause B.7.1 is mapped to “A.1. Assets” in Cyber Essentials mark. Indicate
“Yes”: If all the clauses in “A.1. Assets” in Cyber Essentials mark are implemented in your organisation
“No”: If not all the clauses in “A.1. Assets” in Cyber Essentials mark are implemented in your organisation
“Not applicable”: If not all the clauses in “A1. Assets” in Cyber Essentials mark are applicable

B.7.1 in “CS Preparedness Questionnaire” tab

Preparedness Organisation Provide justification if
Clause Clause Description Question
Tier Response "Not applicable"
B.7.1 Supporter The organisation has implemented all the Security controls for Cyber Essentials mark:
cybersecurity requirements in the Cyber Has the organisation implemented all the
Essentials mark under A.1 Assets: People to cybersecurity requirements in the Cyber
ensure that employees are equipped with the Essentials mark under A.1 Assets: People to
security knowledge and awareness to identify, ensure that employees are equipped with the
mitigate against cyber threats. security knowledge and awareness to identify,
mitigate against cyber threats?

Date: 04/24/2024 CONFIDENTIAL Page 4 of 74

Cyber Trust mark — Self-assessment questionnaire

is mapped to A.1.Assets in “Cyber Essentials Questionnaire” tab

Cyber Essential Cyber Trust Cyber Trust Implementation

Clause Description Remarks
Clause Clause Preparedness Tier status

A.1 Assets: People — Equip employees with know-how to be the first line of defence
A.1.4 (a) The organisation shall put in place cybersecurity awareness training B.7.1 Supporter
for all employees to ensure employees are aware of the security
practices and behaviour expected of them. Organisations may meet
this requirement in different ways, e.g. provide self-learning materials
for employees, engaging external training providers.
A.1.4 (b) Cyber hygiene practices and guidelines shall be developed for B.7.1 Supporter
employees to adopt in their day-to-day operations.

Step 3 – Residual Risk-Assessment (“CS Risk Assessment” tab)

Residual risk refers to the amount of remaining risk faced by the organisation after implementing cybersecurity measures to mitigate the risks.
Similar to assessing inherent risk, for each risk scenario, assess your organisation’s residual risk by evaluating the likelihood and impact of these scenarios occurring in your environment after
implementing the cybersecurity measures reflected by the cybersecurity preparedness statements to mitigate the risks.

Example:
Cybersecurity Preparedness Assessment Residual Risk Assessment
Residual Risk
Applicable Cybersecurity Risk Control Measures set
Risk Value and
Preparedness Domains by the organisation Likelihood Impact
Category
B.3 Risk Management Possible (3) Significant Medium (9)
B.8 Asset Management (3)
B.12 System Security
B.6 Audit
B.13 Anti-virus/Anti-Malware
B.18 Vulnerability Assessment

B.3 Risk Management Unlikely (2) Significant Medium (6)

B.12 System Security (3)
B.20 Network Security

Date: 04/24/2024 CONFIDENTIAL Page 5 of 74

Cyber Trust mark — Self-assessment questionnaire

Enter a value each for

– Likelihood (See “Annex” tab for description of likelihood values)
– Impact (See “Annex” tab for description of impact values)

The residual risk category and value will be automatically computed and the heat map reflecting the organisation’s residual risk is automatically generated in "Results" tab.

total risks Residual Risk Heat map risk types (residual) total low med med high high critical
critical highly likely 1. Data Breach 5 1 4
¾ Likelihood®

high likely 2. Human Factor 5 5

medium high 6 possible 8 6 3. Infrastructure 5 4 1
medium 19 unlikely 10 1 4. Physical Security 4 4
low rare 5. Regulatory and Compliance 3 3
minor moderate significant serious major 6. Supply Chain 3 2 1
 Impact  25 19 6

Step 4 – Risk Treatment Plan (“CS Risk Assessment” tab)

From the residual risk identified:
– Make a risk decision (See “Annex” tab for description of risk decisions).
– Propose a risk treatment plan. Indicate the risk owner, target completion date, and track the completion status.

Example:
Risk Treatment Plan
Target Current
Risk Suggested Treatment
Treatment Owner Completion Implementation Remarks
Decision Activity
Date Status
Accept

Accept

Date: 04/24/2024 CONFIDENTIAL Page 6 of 74

Cyber Trust mark — Self-assessment questionnaire

Step 5 – Indicative Cyber Trust Certification Tier (“Results” tab)

Upon completion of the above, the template will compute the results of your risk assessment, and the indicative Cyber Trust certification tier for your organisation.

Example:
Cumulative results from your organisation's cybersecurity preparedness responses
total implementd not implemented not applicable implemented not implemented not applicable status remarks
1. Supporter 13 13 0 0 100.00% 0.00% 0.00% Pass
2. Practitioner 38 38 0 0 100.00% 0.00% 0.00% Pass
3. Promoter 72 72 0 0 100.00% 0.00% 0.00% Pass This is your highest eligible tier!
4. Performer 125 124 1 0 99.20% 0.80% 0.00% Fail
5. Advocate 190 183 7 0 96.32% 3.68% 0.00% Fail

Congratulations! Your organisation is ready for Cyber Trust (Promoter) tier certification.
Do proceed to prepare the relevant supporting documents and approach your certification body to apply for certification.

Upon completion of this self-assessment, prepare the relevant supporting documents outlined in “Overview & Instruction” tab and approach your appointed certification body.

Date: 04/24/2024 CONFIDENTIAL Page 7 of 74

Cyber Trust mark — Self-assessment questionnaire

Self-assessment template — How ready are you for Cyber Trust mark?

1. Organisation Data

Organisation Name
ACRA Number/Unique Entity Number (UEN)
Annual Turnover
Number of Employees
Date of Self-Assessment
Scope of certification for Cyber Trust mark

Date: 04/24/2024 CONFIDENTIAL Page 8 of 74

Cyber Trust mark — Self-assessment questionnaire

2. Cyber preparedness questionnaire for Cyber Trust mark

Inherent Risk Assessment Cybersecurity Preparedness Assessment Residual Risk Assessment Risk Treatment Plan
Inherent Risk Residual Risk Target Current
Risk Risk Type Risk Scenario Applicable Cybersecurity Risk Control Measures set by Risk Suggested Treatment Activity Treatment Owner Completion Implementation Remarks
Ref. Likelihood Impact Risk Value and Preparedness Domains the organisation Likelihood Impact Risk Value and Decision
Category Category Date Status
1 Infrastructure Attacker exploits a vulnerability B.3 Risk management
in an obsolete operating B.6 Audit
system used by the B.8 Asset management
organisation to host key B.12 System security
application and gain B.13 Anti-virus/anti-malware
unauthorised access into the B.18 Vulnerability assessment
application.

2 Infrastructure Flooding of network with traffic B.3 Risk management

causing disruption or B.12 System security
inaccessibility of computer B.20 Network security
systems and network resources
of the organisation.

3 Regulatory and Organisation failing to comply B.3 Risk management

Compliance with legal or regulatory B.5 Compliance
requirements for data security. B.6 Audit L
Non-compliance with the B.9 Data protection and privacy i
requirements results in k
financial penalties, operational e
disruption and reputational l
losses to the organisation. y
(
4
)

4 Regulatory and Organisation failing to comply B.3 Risk management

Compliance with cybersecurity legal or B.5 Compliance P
regulatory requirements. Non- B.6 Audit o
compliance with the s
requirements results in s
financial penalties, operational i
disruption and reputational b
losses to the organisation. l
e

(
3
)
5 Regulatory and Staff and vendors do not follow B.2 Policies and procedures
Compliance the organisation’s security B.3 Risk management
policies and processes, leading B.5 Compliance
to non-compliance. B.6 Audit
B.7 Training and awareness

6 Data Breach Unauthorised users are able to B.3 Risk management

access organisation’s B.8 Assets management R
confidential and/or sensitive B.9 Data protection and privacy a
data from a stolen/loss B.15 Access control r
corporate device, which leads B.20 Network security e
to data leakage or disclosure of
confidential and/or sensitive (
data. 1
)

7 Data Breach Attacker exploits a vulnerability B.3 Risk management

in an organisation’s application B.12 System security
and gain access and able to B.14 Secure Software
extract confidential and/or Development Life Cycle (SDLC)
sensitive data, including B.15 Access control
personal data. B.20 Network security

Date: 04/24/2024 CONFIDENTIAL Page 9 of 74

Cyber Trust mark — Self-assessment questionnaire

Target Current
Risk Risk Type Risk Scenario Applicable Cybersecurity Risk Control Measures set by Risk Suggested Treatment Activity Treatment Owner Completion Implementation Remarks
Ref. Likelihood Impact Risk Value and Preparedness Domains the organisation Likelihood Impact Risk Value and Decision
Category Category Date Status
8 Human Factor Disgruntled employee B.3 Risk management
performing unauthorised B.7 Training and awareness
modification to sensitive B.15 Access control
information to cause
disruption to business
operations.

9 Human Factor Attacker sends phishing emails B.3 Risk management

to employees containing B.7 Training and awareness
malicious payload (e.g., B.15 Access control
attachments, Uniform B.20 Network security
Resource Locator (URL)), which
can be used to further initiate
cyberattacks into the
organisation.

10 Physical Security Unauthorised user is able to B.3 Risk management

access data B.10 Backups
processing/sensitive B.19 Physical/environmental
information storage facility and security
damage or destroy the B.20 Network security
organisation’s critical systems
and data.

11 Physical Security Unauthorised user access to B.3 Risk management

the organisation’s network B.11 Bring Your Own Device
using wireless network access (BYOD)
point and extracting personal B.15 Access control
and sensitive information. B.19 Physical/environmental
security
B.20 Network security

12 Supply Chain Vendor’s negligence causing B.3 Risk management

erroneous transactions in B.17 Third-party risk and
organisation’s system. oversight

13 Supply Chain Insecure vendor IT B.3 Risk management

environment, allowing B.15 Access control
attackers to access B.16 Cyber threat management
organisation’s network or data. B.17 Third-party risk and
oversight
B.20 Network security

14 Human factor Employee’s negligence in B.7 Training and awareness

handling confidential and/or B.9 Data protection and privacy
sensitive data leading to
disclosure of confidential
and/or sensitive data.

15 Supply Chain Attackers cause disruption to B.3 Risk management

third-party service providers, B.17 Third-party risk and
causing disruption to the oversight
organisation’s services and B.22 Business
operations. continuity/disaster recovery

16 Data breach Attacker takes advantage of B.3 Risk management

compromised or otherwise B.9 Data protection and privacy
unprepared devices to access B.11 Bring Your Own Device
organisation’s confidential (BYOD)
and/or sensitive data, which B.12 System security
leads to data leakage or B.13 Anti-virus/anti-malware
disclosure of confidential B.16 Cyber threat management
and/or sensitive data. B.20 Network security

Date: 04/24/2024 CONFIDENTIAL Page 10 of 74

Cyber Trust mark — Self-assessment questionnaire

Target Current
Risk Risk Type Risk Scenario Applicable Cybersecurity Risk Control Measures set by Risk Suggested Treatment Activity Treatment Owner Completion Implementation Remarks
Ref. Likelihood Impact Risk Value and Preparedness Domains the organisation Likelihood Impact Risk Value and Decision
Category Category Date Status
17 Data breach Use of portable storage devices B.8 Asset management
(e.g., Universal Serial Bus (USB) B.9 Data protection and privacy
drives, external hard disks) to
transfer confidential and/or
sensitive data can lead to data
exfiltration by a malicious user.

18 Infrastructure Attacker is able to gain access B.6 Cyber threat management

to the organisation’s network B.10 Backups
and systems due to poor B.12 System security
configuration of systems (e.g., B.20 Network security
have not changed from default
configurations, etc.)

19 Physical Security Employees and visitors are not B.7 Training and awareness
identifiable, resulting in missed B.19 Physical/environmental
detection of unauthorised security
access and malicious activities
occurring.

20 Infrastructure Misconfiguration of the B.6 Audit

organisation’s critical systems, B.10 Backups
causing disruption to the B.12 System security
organisation’s services and B.22 Business
operations. continuity/disaster recovery

21 Physical Security Environmental risk to the B.10 Backups

organisation’s critical systems B.22 Business
(e.g., fire, flood) which disrupts continuity/disaster recovery
the operations of the systems.

22 Infrastructure Attackers use malware to B.10 Backups

attack organisation’s IT systems B.12 System security
and penetrate the B.13 Anti-virus/anti-malware
organisation’s IT infrastructure, B.16 Cyber threat management
including servers, endpoints, B.18 Vulnerability assessment
and destroy sensitive and
personal information.

23 Data Breach Unauthorised user is able to B.6 Audit

access data from IT assets that B.8 Asset management
are not disposed properly B.9 Data protection and privacy
leading to disclosure of
confidential and/or sensitive
data.

24 Human Factor Inadequately skilled cyber B.1 Governance

resources within the B.4 Cyber strategy
organisation to manage B.21 Incident response
cybersecurity incidents
promptly, leading to a delayed
response to a cybersecurity
incident.

25 Human Factor High turnover rate of B.1 Governance

cybersecurity staff leading to a B.4 Cyber strategy
lack of resources to manage
cybersecurity activities within
the organisation.

Date: 04/24/2024 CONFIDENTIAL Page 11 of 74

Cyber Trust mark — Self-assessment questionnaire

3.1 Cyber preparedness questionnaire for Cyber Trust mark

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.1 Domain: Governance
B.1.1 Supporter Domain is not assessable for this tier. However,
the organisation should consider the section on
cultivating cybersecurity leadership in CSA's
cybersecurity toolkit for organisation leaders
and/or IT teams.

B.1.2 Practitioner Domain is not assessable for this tier. However,

the organisation should consider the section on
cultivating cybersecurity leadership in CSA's
cybersecurity toolkit for organisation leaders
and/or IT teams.

B.1.3 Promoter The organisation has established and Understanding cybersecurity importance: Has the
implemented practices to develop the importance organisation established and implemented
of cybersecurity within its business context and practices to develop the importance of
communicate this to all relevant stakeholders cybersecurity within its business context and
such as employees, customers and partners. communicate to all relevant stakeholders such as
employees, customers and partners?

B.1.4 Performer The organisation has defined and allocated the Define roles and responsibilities: Has the
roles and responsibilities to ensure that it is clear organisation defined and allocated the roles and
who is responsible to oversee the cybersecurity responsibilities to ensure it is clear who is to
program implementation and manage oversee the cybersecurity program
cybersecurity risks within the organisation. implementation and manage cybersecurity risks
within the organisation?

B.1.5 Performer The Board and/or senior management have Board and/or senior management involvement:
sufficient expertise in cybersecurity and are Do the Board and/or senior management have
involved in approving and overseeing the sufficient expertise in cybersecurity, and are
implementation of cybersecurity strategy, policies involved in approving and overseeing the
and procedures and risk management actions. implementation of cybersecurity strategy, policies
and procedures and risk management actions?

Date: 04/24/2024 CONFIDENTIAL Page 12 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.1.6 Performer The organisation has established cybersecurity Meeting cybersecurity objectives: Has the
goals/objectives which are reviewed and organisation established cybersecurity
approved by the Board and/or senior goals/objectives which are reviewed and
management at least annually and implemented approved by the Board and/or senior
in the form of measures such as policies and management at least annually and implemented
procedures. in the form of measures such as policies and
procedures?

B.1.7 Advocate The Board and/or senior management has Cybersecurity committee/forum: Has the Board
established a dedicated cybersecurity and/or senior management established a
committee/forum to discuss on cybersecurity dedicated cybersecurity committee/forum to
initiatives and activities regularly, oversee and discuss on cybersecurity initiatives and activities
monitor cybersecurity risks to ensure compliance regularly, oversee and monitor cybersecurity risks
with organisational cybersecurity policies, to ensure compliance with organisational
procedures and regulatory requirements. cybersecurity policies, procedures and regulatory
requirements?

B.1.8 Advocate The organisation has established and Reporting to Board/senior management: Has the
implemented practices to ensure that the Board organisation established and implemented
and/or senior management are regularly updated practices to ensure the Board and/or senior
on cybersecurity matters and key topics/decisions management are regularly updated on
are discussed in a timely manner with regard to cybersecurity matters and key topics/decisions are
implementation of programs and initiatives based discussed in a timely manner with regard to
on the cybersecurity risks. implementation of programs and initiatives based
on the cybersecurity risks?

B.2 Domain: Policies and procedures

Date: 04/24/2024 CONFIDENTIAL Page 13 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.2.1 Supporter Domain is not assessable for this tier. However,
the organisation should consider the section on
cultivating cybersecurity leadership in the
organisation, educating employees on
cybersecurity, protecting its information assets,
securing its access and environment and ensuring
that its business is cyber resilient in CSA’s
cybersecurity toolkit for Small and Medium-sized
Enterprise (SME) owners, organisation leaders
and/or IT teams.

B.2.2 Practitioner Domain is not assessable for this tier. However,

the organisation should consider the section on
cultivating cybersecurity leadership in the
organisation, educating employees on
cybersecurity, protecting its information assets,
securing its access and environment and ensuring
that its business is cyber resilient in CSA's
cybersecurity toolkit for SME owners, organisation
leaders and/or IT teams.

B.2.3 Promoter The organisation has implemented practices to Communication of cybersecurity guidance and/or
regularly communicate and update its employees requirements: Has the organisation implemented
on the cybersecurity processes, industry best practices to regularly communicate and update its
practices and standards adopted to manage employees on the cybersecurity processes,
cybersecurity risks and measures to be taken to industry best practices and standards adopted to
protect its information assets. manage cybersecurity risks and measures to be
taken to protect its information assets?

Date: 04/24/2024 CONFIDENTIAL Page 14 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.2.4 Performer The organisation has established and Policies and procedures: Has the organisation
implemented policies and procedures that established and implemented policies and
incorporate the relevant requirements, guidance procedures that incorporate the relevant
and directions to manage cybersecurity risk and requirements, guidance and directions to manage
protect information assets in its environment to cybersecurity risk and protect information assets
ensure that employees have clear direction and in its environment to ensure that employees have
guidance. clear direction and guidance?

B.2.5 Performer The cybersecurity policies and procedures are Board and/or senior management approval: Are
approved and formalised by the Board and/or the cybersecurity policies and procedures
senior management to ensure top-down support. approved and formalised by the Board and/or
senior management to ensure top-down support?

B.2.6 Performer The cybersecurity policies and procedures are Communication of the policies and procedures:
published, communicated and made accessible for Are the cybersecurity policies and procedures
employees to ensure that the employees have published, communicated and made accessible for
clear direction and guidance to perform their employees to ensure that the employees have
work securely. clear direction and guidance to perform their
work securely?

B.2.7 Advocate The organisation performs regular review and Management review and reporting: Does the
reporting on the effectiveness and deviations of organisation perform regular review and reporting
the cybersecurity policies and procedures to the on the effectiveness and deviations of the
Board and/or senior management at least cybersecurity policies and procedures to the
annually to ensure that they are kept informed. Board and/or senior management at least
annually to ensure that they are kept informed?

B.2.8 Advocate The organisation has established and Policies and procedures compliance: Has the
implemented policy and process to ensure organisation established and implemented policy
compliance with the cybersecurity policies and and process to ensure compliance with the
procedures. cybersecurity policies and procedures?

Date: 04/24/2024 CONFIDENTIAL Page 15 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.2.9 Advocate The organisation has established and Follow up for non-compliance: Has the
implemented policy and process to track and organisation established and implemented policy
monitor non-compliance with policies, processes and process to track and monitor non-compliance
and procedures and ensure that the associated with policies, processes and procedures and
cybersecurity risks are addressed. ensure that the associated cybersecurity risks are
addressed?

B.3 Domain: Risk management

B.3.1 Supporter The organisation has identified the cybersecurity Risk identification and remediation: Has the
risks in the environment, including risks on- organisation identified the cybersecurity risks in
premises and where applicable, remote risks, to the environment, including risks on-premise and
ensure that all the identified cybersecurity risks where applicable, remote risks, to ensure the risks
can be addressed. are addressed?

B.3.2 Supporter The organisation performs steps to analyse and Risk analysis: Does the organisation perform steps
prioritise the critical cybersecurity risks in the to analyse and prioritise the critical cybersecurity
business environment to ensure that the more risks in the business environment to ensure that
critical cybersecurity risks are addressed first. the more critical cybersecurity risks are addressed
first?

B.3.3 Practitioner The organisation has established and Risk response: Has the organisation established
implemented a risk treatment plan with the and implemented a risk treatment plan with the
guidelines and/or requirements to accept, guidelines and/or requirements to accept,
remediate or mitigate the identified cybersecurity remediate or mitigate the identified cybersecurity
risks to ensure that cybersecurity risks are treated. risks to ensure that cybersecurity risks are
treated?

B.3.4 Practitioner The organisation performs regular cybersecurity Regular risk identification and tracking: Does the
risk identification at least on an annual basis or organisation perform regular cybersecurity risk
whenever there are changes to the environment identification at least on an annual basis or
and tracks them to maintain a record of the whenever there are changes to the environment
cybersecurity risks in the environment. and track them to maintain a record of the
cybersecurity risks in the environment?

Date: 04/24/2024 CONFIDENTIAL Page 16 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.3.5 Promoter The organisation has defined and applied a Risk assessment process: Has the organisation
cybersecurity risk assessment process to identify defined and applied a cybersecurity risk
risk, assess the dependencies and evaluate the assessment process to identify risk, assess the
current measures in place to ensure that the dependencies and evaluate the current measures
organisation is clear on how to assess the in place to ensure that the organisation is clear on
cybersecurity risks. how to assess the cybersecurity risks?

B.3.6 Promoter The organisation has established, implemented Cybersecurity risk register: Has the organisation
and maintained a cybersecurity risk register established, implemented and maintained a
containing the risks identified with their priority, cybersecurity risk register containing the risks
the treatment plan, timeline, the employee(s) identified with their priority, the treatment plan,
assigned the task of tracking and monitoring. timeline, the employee(s) assigned the task of
tracking and monitoring?

B.3.7 Performer The organisation has established and Risk management policies and procedures: Has
implemented risk management policies and the organisation established and implemented
procedures with the requirements, guidelines and risk management policies and procedures with the
detailed steps to identify, analyse, evaluate, requirements, guidelines and detailed steps to
monitor and treat cybersecurity risks. identify, analyse, evaluate, monitor and treat
cybersecurity risks?

B.3.8 Performer The organisation has defined and allocated the Designated risk assessment responsibility: Has the
roles and responsibilities for conducting and organisation defined and allocated the roles and
overseeing cybersecurity risk assessment to responsibilities for conducting and overseeing
ensure that employees are clear on the tasks cybersecurity risk assessment to ensure that
assigned to them. employees are clear of the tasks assigned to
them?

Date: 04/24/2024 CONFIDENTIAL Page 17 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.3.9 Performer The organisation has established the cybersecurity Establish cybersecurity risk appetite and
risk appetite and cybersecurity risk tolerance tolerance: Has the organisation established a
statement approved by the Board and/or senior cybersecurity risk appetite and cybersecurity risk
management to ensure that there is tolerance statement approved by the Board
organisational consensus on the type and and/or senior management to ensure that there is
acceptable level of cybersecurity risk. organisational consensus on the type and
acceptable level of cybersecurity risk?

B.3.10 Advocate The organisation has established and Integrate to Enterprise Risk Management (ERM):
implemented a cybersecurity risk management Has the organisation established and
framework which is integrated as part of the implemented a cybersecurity risk management
organisation's overall risk management to ensure framework which is integrated as part of the
alignment with business goals. organisation's overall risk management to ensure
alignment with business goals?

B.3.11 Advocate The organisation has established and Risk reporting: Has the organisation established
implemented policy and process to report and implemented policy and process to report
identified cybersecurity risks to the Board and/or identified cybersecurity risks to the Board and/or
senior management at least on a monthly basis to senior management at least on a monthly basis to
ensure that they are kept informed. ensure that they are kept informed?

B.3.12 Advocate The organisation has established and Risk review: Has the organisation established and
implemented policy and process to review implemented policy and process to review
deviations to ensure that the residual deviations to ensure that the residual
cybersecurity risk stays within its cybersecurity cybersecurity risk stays within its cybersecurity
risk appetite and risk tolerance level. risk appetite and risk tolerance level?

B.4 Domain: Cyber strategy

Date: 04/24/2024 CONFIDENTIAL Page 18 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.4.1 Supporter Domain is not assessable for this tier. However,
the organisation should consider the section on
cultivating cybersecurity leadership in CSA's
cybersecurity toolkit for SME owners, organisation
leaders and IT teams.

B.4.2 Practitioner Domain is not assessable for this tier. However,

the organisation should consider the section on
cultivating cybersecurity leadership in CSA's
cybersecurity toolkit for SME owners, organisation
leaders and IT teams.

B.4.3 Promoter Domain is not assessable for this tier. However,

the organisation should consider the section on
cultivating cybersecurity leadership in CSA's
cybersecurity toolkit for SME owners, organisation
leaders and IT teams.

B.4.4 Performer Domain is not assessable for this tier. However,

the organisation should consider the section on
cultivating cybersecurity leadership in CSA's
cybersecurity toolkit for SME owners, organisation
leaders and IT teams.

B.4.5 Advocate The organisation has established a cybersecurity Cybersecurity strategy & roadmap: Has the
strategy to achieve cyber resiliency and protect organisation established a cybersecurity strategy
the organisation against cybersecurity threats in to achieve cyber resiliency and protect the
terms of people, process and technology. The organisation against cybersecurity threats in terms
cybersecurity strategy has been translated into a of people, process and technology? Has the
roadmap to achieve planned targets over a time cybersecurity strategy been translated into a
period. roadmap to achieve planned targets over a time
period?

Date: 04/24/2024 CONFIDENTIAL Page 19 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.4.6 Advocate The organisation has established and Cyber strategy workplan: Has the organisation
implemented a cybersecurity workplan based on established and implemented a cybersecurity
its cybersecurity strategy and roadmap workplan based on its cybersecurity strategy and
incorporating the necessary actions, timelines and roadmap incorporating the necessary actions,
allocated resources to achieve the planned timelines and allocated resources to achieve the
targets. planned targets?

B.4.7 Advocate The organisation has allocated sufficient budget Budget and funds allocation: Has the organisation
and funds to achieve the planned cybersecurity allocated sufficient budget and funds to achieve
targets. The budgets and funds are monitored by the planned cybersecurity targets? Are the
the Board/senior management and revised on a budgets and funds monitored by the Board/senior
regular basis based on updates received. management and revised on a regular basis based
on updates received?

B.4.8 Advocate The organisation has tracked and evaluated its Tracking of cybersecurity strategy & roadmap: Has
progress on the cybersecurity strategy, the the organisation tracked and evaluated its
roadmap and workplans regularly at least on an progress on the cybersecurity strategy, the
annual basis with its Board/senior management to roadmap and workplans regularly at least on an
ensure that they are updated on the progress and annual basis with its Board/senior management to
status. ensure that they are updated on the progress and
status?

B.4.9 Advocate The organisation has reviewed and updated its Cybersecurity strategy & roadmap updates: Has
cybersecurity strategy, the roadmap and workplan the organisation reviewed and updated its
at least annually to ensure alignment with cybersecurity strategy, the roadmap and workplan
business goals, taking into account the evolving at least annually to ensure alignment with
cyber threat landscape. business goals, taking into account the evolving
cyber threat landscape?

B.5 Domain: Compliance

B.5.1 Supporter The organisation has identified the cybersecurity- Identifying areas of cybersecurity-related law and
related laws, regulations and/or guidelines (e.g., regulation: Has the organisation identified the
sector-specific) applicable in its area of business in cybersecurity-related laws, regulations and/or
order to comply with them. guidelines (e.g. sector-specific) applicable in its
area of business in order to comply with them?

Date: 04/24/2024 CONFIDENTIAL Page 20 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.5.2 Practitioner The organisation has established and Measures to ensure compliance: Has the
implemented measures to ensure compliance organisation established and implemented
with the applicable cybersecurity-related laws, measures to ensure compliance to the applicable
regulations and/or guidelines (e.g., sector- cybersecurity-related laws, regulations and/or
specific). guidelines (e.g. sector-specific)?

B.5.3 Promoter The organisation has communicated Communication for compliance: Has the
cybersecurity-related laws, regulations and/or organisation communicated cybersecurity-related
guidelines (e.g., sector-specific) to employees to laws, regulations and/or guidelines (e.g. sector-
ensure that they are aware of them when specific) to employees to ensure that they are
performing their tasks. aware of them when performing their tasks?

B.5.4 Promoter The organisation has defined and applied a Compliance process: Has the organisation defined
process to ensure that they stay compliant and up and applied a process to ensure that they stay
to date with the latest cybersecurity-related laws, compliant and up-to-date with the latest
regulations and/or guidelines (e.g., sector-specific) cybersecurity-related laws, regulations and/or
applicable to the organisation. guidelines (e.g. sector-specific) applicable to the
organisation?

B.5.5 Performer The organisation has established and Cybersecurity laws and regulatory policy: Has the
implemented policy and procedure with the organisation established and implemented policy
necessary measures, requirements and steps to and procedure with the necessary measures,
address cybersecurity-related laws, regulations requirements and steps to address cybersecurity-
and/or guidelines (e.g., sector-specific). related laws, regulations and/or guidelines (e.g.
sector-specific)?

B.5.6 Performer The organisation has defined and allocated roles Compliance roles and responsibilities: Has the
and responsibilities to address the requirements organisation defined and allocated the roles and
in cybersecurity-related laws, regulatory responsibilities to oversee and address the
compliance and/or guidelines (e.g., sector- requirements in cybersecurity-related laws,
specific) in the organisation to ensure that regulatory compliance and/or guidelines (e.g.
employees are clear of their tasks for compliance. sector-specific) to ensure employees are clear of
their tasks towards compliance?

Date: 04/24/2024 CONFIDENTIAL Page 21 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.5.7 Advocate The organisation has established and Cybersecurity laws and regulatory compliance:
implemented a policy and process to ensure that Has the organisation established and
the organisation’s processes and systems comply implemented apolicy and process to ensure that
with applicable cybersecurity-related laws, the organisation's processes and systems comply
regulatory compliance and/or guidelines (e.g., with applicable cybersecurity-related law,
sector-specific) and to identify any non- regulatory and/or guidelines (e.g. sector-specific)
compliance. and to identify any non-compliance?

B.5.8 Advocate The organisation has established and Actions against non-compliance: Has the
implemented the policy and procedure to take organisation established and implemented the
action against non-compliance with cybersecurity- policy and procedure to take action against non-
related laws, regulations and/or guidelines (e.g., compliance with cybersecurity-related laws,
sector-specific) to ensure the organisation is able regulations and/or guidelines (e.g. sector-specific)
to stay compliant. to ensure the organisation is able to stay
compliant?

B.5.9 Advocate Cybersecurity-related laws, regulatory compliance Cybersecurity laws and regulatory reporting: Are
and/or guidelines (e.g., sector-specific) and non- non-compliance to cybersecurity-related laws,
compliance are reported to the Board and/or regulatory and/or guidelines (e.g. sector-specific)
senior management on a timely basis to ensure being reported to the Board and/or senior
that they are kept informed of the associated risks management on a timely basis to ensure that they
and any non-compliance. are kept informed of the associated risks and any
non-compliance?

B.6 Domain: Audit

B.6.1 Supporter Domain is not assessable for this tier.
B.6.2 Practitioner Domain is not assessable for this tier.
B.6.3 Promoter Domain is not assessable for this tier.

Date: 04/24/2024 CONFIDENTIAL Page 22 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.6.4 Performer The organisation has established, implemented Cybersecurity audit plan: Has the organisation
and maintained a cybersecurity audit plan, established, implemented and maintained a
including at a minimum, the objective, scope, cybersecurity audit plan, including at a minimum,
roles and responsibilities, guidelines and the objective, scope, roles and responsibilities,
frequency for auditing to assess the effectiveness guidelines and frequency for auditing to assess
of the organisation's policies, processes, the effectiveness of the organisation's policies,
procedures and controls against cybersecurity processes, procedures and controls against
risks. cybersecurity risks?

B.6.5 Performer The organisation has established an internal audit Internal audit function and/or team: Has the
function and/or team to assess the policies, organisation established an internal audit function
processes, procedures and controls against and/or team to assess the policies, processes,
cybersecurity risks. procedures and controls against cybersecurity
risks?

B.6.6 Performer The organisation has established and Addressing audit findings: Has the organisation
implemented policies, processes, procedures and established and implemented policies, processes,
controls to mitigate and address the audit findings procedures and controls to mitigate and address
based on priority and timelines to ensure that the the audit findings based on priority and timelines
audit findings are remediated in a timely manner. to ensure that the audit findings are remediated
in a timely manner?

B.6.7 Advocate The organisation has implemented monitoring Audit monitoring and review: Has the organisation
and review of the audit findings at least quarterly implemented monitoring and review of the audit
to ensure that they are remediated within the findings at least quarterly to ensure that they are
stipulated timeline. remediated within the stipulated timeline?

B.6.8 Advocate The organisation has established and Audit follow up: Has the organisation established
implemented processes to report and follow up and implemented processes to report and follow
on the findings with the Board and/or senior up on the findings with the Board and/or senior
management to ensure that they are informed of management to ensure that they are informed of
the audit findings and critical risks. the audit findings and critical risks?

B.7 Domain: Training and awareness

Date: 04/24/2024 CONFIDENTIAL Page 23 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.7.1 Supporter The organisation has implemented all the cybersecurity
Security
requirements
controls forinCyber
the Cyber
Essentials
Essentials
mark:mark
Has under A.1 Assets: People to ensure that employees are equipped with
the organisation implemented all the
cybersecurity requirements in the Cyber Essentials
mark under A.1 Assets: People to ensure that
employees are equipped with the security
knowledge and awareness to identify and mitigate
against cyber threats?

B.7.2 Practitioner The organisation has implemented all the cybersecurity

Security
recommendations
controls for Cyber
in the
Essentials
Cyber Essentials
mark: Hasmark under A.1 Assets: People to ensure that employees are equipped
the organisation implemented all the
cybersecurity recommendations in the Cyber
Essentials mark under A.1 Assets: People to
ensure that employees are equipped with the
security knowledge and awareness to identify and
mitigate against cyber threats?

B.7.3 Practitioner The organisation performs measures to track the Tracking training metrics: Does the organisation
relevant metrics (e.g., attendance) to ensure that track the relevant metrics (e.g., attendance) to
employees have completed the cybersecurity ensure that employees have completed the
awareness and training programmes. cybersecurity awareness and training
programme?

B.7.4 Promoter The organisation performs measures to ensure Security awareness assessments: Does the
that employees are assessed at the end of the organisation ensure that employees are assessed
awareness and training programmes and are at the end of the awareness and training
required to pass the programmes to ensure that programmes and are required to pass the
they demonstrate what they have learnt. programmes to ensure that they demonstrate
what they have learnt?

B.7.5 Promoter The organisation has appointed a cybersecurity Cybersecurity champion: Has the organisation
champion to promote cybersecurity awareness appointed a cybersecurity champion to promote
and launch cybersecurity initiatives. cybersecurity awareness and launch cybersecurity
initiatives?

Date: 04/24/2024 CONFIDENTIAL Page 24 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.7.6 Performer The organisation has established and Cybersecurity awareness and training policy and
implemented policies and procedures on the procedure: Has the organisation established and
training types, frequency and attendees’ implemented policies and procedures on the
requirements as well as the steps to conduct and training types, frequency and attendees'
participate in the training to ensure that they can requirements as well as the steps to conduct and
be adhered to. participate in the training to ensure that they can
be adhered to?

B.7.7 Performer The organisation has its cybersecurity awareness Review of cybersecurity awareness and training
and training programmes endorsed by the Board programme: Has the organisation endorsed its
and/or senior management to ensure that they cybersecurity awareness and training programme
are in place and up to date. by the Board and/or senior management to
ensure that they are in place and up to date?

B.7.8 Performer The organisation has defined and established Cybersecurity skills and competency
policies and processes to identify the development: Has the organisation defined and
cybersecurity skillset necessary for its employees established policies and processes to identify the
including the Board and/or senior management to cybersecurity skillset necessary for its employees
manage cybersecurity risks and incidents and to including the Board and/or senior management to
ensure that they receive the relevant training. manage cybersecurity risks and incidents to
ensure that they receive the relevant training?

B.7.9 Advocate The organisation has established and Cybersecurity awareness and training programme
implemented a process to evaluate the effectiveness: Has the organisation established
effectiveness of the cybersecurity awareness and and implemented a process to evaluated the
training programmes, e.g., by monitoring the effectiveness of the cybersecurity awareness and
results of trainings, the number of related training programmes, e.g., by monitoring the
cybersecurity incidents before and after the results of trainings, the number of related
training programmes. cybersecurity incidents before and after the
training programmes?

Date: 04/24/2024 CONFIDENTIAL Page 25 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.7.10 Advocate The organisation has established and Cybersecurity skill gap analysis: Has the
implemented a process to conduct regular skill organisation established and implemented a
gap analysis to identify lacking cybersecurity process to conduct regular skill gap analysis to
skillsets to ensure that they can be bridged. identify lacking cybersecurity skillsets to ensure
that they can be bridged?

B.7.11 Advocate The organisation has a department (e.g., team Awareness and training management: Does the
within Human Resource (HR), business units) to be organisation has a department (e.g. team within
responsible for conducting, reviewing and HR, BUs) to be responsible for conducting,
ensuring the compliance of employees’ awareness reviewing and ensuring the compliance of
and compliance with the training programmes. employees' awareness and compliance with the
training programme?

B.8 Domain: Asset management

B.8.1 Supporter The organisation has implemented all the cybersecurity
Security
requirements
controls forinCyber
the Cyber
Essentials
Essentials
mark:mark
Has under A.2 Assets: Hardware and software to ensure that hardware and
the organisation implemented all the
cybersecurity requirements in the Cyber Essentials
mark under A.2 Assets: Hardware and software to
ensure that hardware and software present in the
environment are identified and protected against
common cyber threats?

B.8.2 Practitioner The organisation has implemented all the cybersecurity

Security
recommendations
controls for Cyber
in the
Essentials
Cyber Essentials
mark: Hasmark under A.2 Assets: Hardware and software to ensure that hardware
the organisation implemented all the
cybersecurity recommendations in the Cyber
Essentials mark under A.2 Assets: Hardware and
software to ensure that hardware and software
present in the environment are identified and
protected against common cyber threats?

Date: 04/24/2024 CONFIDENTIAL Page 26 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.8.3 Promoter The organisation has established and Assets handling policy and procedure: Has the
implemented policies and procedures on the organisation established and implemented
security requirements, guidelines and detailed policies and procedures on the security
steps to classify, handle and dispose of hardware requirements, guidelines and detailed steps to
and software assets in the environment securely classify, handle and dispose of hardware and
to ensure that employees have clear direction and software assets in the environment securely to
guidance. ensure that employees have clear direction and
guidance?

B.8.4 Promoter The organisation has established and Measures handling highly classified assets: Has the
implemented a process to classify and handle organisation established and implemented a
hardware and software according to their process to classify and handle hardware and
confidentiality and/or sensitivity levels to ensure software according to their confidentiality and/or
that they receive adequate security and sensitivity levels to ensure that they receive
protection. adequate security and protection?

B.8.5 Promoter The organisation has defined and allocated roles Roles and responsibilities: Has the organisation
and responsibilities to ensure that it is clear who is defined and allocated roles and responsibilities to
responsible to maintain, support and manage the ensure that it is clear who is responsible to
hardware and software assets in the inventory list. maintain, support and manage the hardware and
software assets in the inventory list?

B.8.6 Performer The organisation has established and Use of asset discovery tools: Has the organisation
implemented asset discovery tools that are established and implemented asset discovery
appropriate and recognised in the industry to scan tools that are appropriate and recognised in the
and discover assets that are connected to its industry to scan and discover assets that are
network to ensure that all the assets can be connected to its network to ensure that all the
managed securely. assets can be managed securely?

Date: 04/24/2024 CONFIDENTIAL Page 27 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.8.7 Performer The organisation has established and Acceptable use policy: Has the organisation
implemented an acceptable use policy on the established and implemented an acceptable use
rules and restrictions for hardware and software policy on the rules and restrictions for hardware
assets to ensure that the assets are being and software assets to ensure that the assets are
managed appropriately and securely. being managed appropriately an securely?

B.8.8 Advocate The organisation has established and Enterprise asset alignment: Has the organisation
implemented a policy and process to ensure that established and implemented a policy and process
the hardware and software asset inventory is to ensure that the hardware and software asset
consistent and updated organisation wide. inventory is consistent and updated organisation
wide?

B.8.9 Advocate The organisation has established and Asset inventory management system: Has the
implemented the use of an asset inventory organisation established and implemented the
management system that is appropriate and use of an asset inventory management system
recognised in the industry to track and manage that is appropriate and recognised in the industry
hardware and software assets to ensure accuracy to track and manage hardware and software
and avoid oversight. assets to ensure accuracy and avoid oversight?

B.8.10 Advocate Asset risks are being addressed as part of the risk Asset risk management: Are assets risks being
assessment framework and reported to the Board addressed as part of the risk assessment
and/or senior management to ensure that they framework and reported to the Board and/or
are not neglected. senior management to ensure that they are not
neglected?

B.9 Domain: Data protection and privacy

B.9.1 Supporter The organisation has implemented all the Security controls for Cyber Essentials mark: Has
cybersecurity requirements in the Cyber Essentials the organisation implemented all the
mark under A.3 Assets: Data to ensure that cybersecurity requirements in the Cyber Essentials
business-critical data (including personal data, mark under A.3 Assets: Data to ensure that
company secrets, intellectual property, etc) can be business-critical data (including personal data,
identified, located and secured. company secrets, intellectual property, etc) can be
identified, located and secured?

Date: 04/24/2024 CONFIDENTIAL Page 28 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.9.2 Supporter The organisation has defined and applied a Reporting of data breach: Has the organisation
process to report any business-critical data defined and applied a process to report any
(including personal data, company secrets, business-critical data (including personal data,
intellectual property, etc) breach and to ensure company secrets, intellectual property, etc)
that stakeholders such as the management, breach and to ensure that stakeholders such as
relevant authorities and relevant individuals are the management, relevant authorities and
kept informed. relevant individual are kept informed?

B.9.3 Supporter The organisation that uses cloud service has Understanding cloud shared responsibility: If the
established and implemented the cloud shared organisation uses a cloud service, has it
responsibility model with the Cloud Service established and implemented the cloud shared
Provider (CSP) in terms of data privacy and responsibility with the CSP in terms of data
security (e.g., agreement with the CSP to establish privacy and security (e.g., agreement with the CSP
clear roles and responsibilities between the to establish clear roles and responsibilities
organisation and the CSP). between the organisation and the CSP)?

B.9.4 Practitioner The organisation has implemented all the Security controls for Cyber Essentials mark: Has
cybersecurity recommendations in the Cyber the organisation implemented all the
Essentials mark under A.3 Assets: Data to ensure cybersecurity recommendations in the Cyber
that business-critical data (including personal Essentials mark under A.3 Assets: Data to ensure
data, company secrets, intellectual property, etc) that business-critical data (including personal
can be identified, located and secured. data, company secrets, intellectual property, etc)
can be identified, located and secured?

Date: 04/24/2024 CONFIDENTIAL Page 29 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.9.5 Promoter The organisation has established and Measures handling highly classified assets: Has the
implemented policies and procedures to carry out organisation established and implemented
risk classification and handle business-critical data policies and procedures to carry out risk
(including personal data, company secrets, classification and handle business-critical data
intellectual property, etc) according to their (including personal data, company secrets,
confidentiality and/or sensitivity levels to ensure intellectual property, etc) according to their
that they receive adequate security and confidentiality and/or sensitivity level to ensure
protection. that they receive adequate security and
protection?

B.9.6 Promoter The organisation has established and Data flow diagram: Has the organisation
implemented policies and procedures to established and implemented policies and
document the data flow diagram of business- procedures to document the data flow diagram of
critical data (including personal data, company business-critical data (including personal data,
secrets, intellectual property, etc) through company secrets, intellectual property, etc)
information systems and programs in the through information systems and programs in the
organisation and implement relevant organisation and implement relevant
enforcement measures to ensure that they stay enforcement measures to ensure that they stay
within the environment. within the environment?

B.9.7 Promoter The organisation has established and Data secure handling policy and procedure: Has
implemented policies and procedures to handle the organisation established and implemented
business-critical data (including personal data, policies and procedures to handle business-critical
company secrets, intellectual property, etc) data (including personal data, company secrets,
securely and to protect business-critical data intellectual property, etc) securely and to protect
according to their classifications and requirements business-critical data according to their
(e.g., collect, use, protect, dispose). classifications and requirements (e.g. collect, use,
protect, dispose)?

Date: 04/24/2024 CONFIDENTIAL Page 30 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.9.8 Performer The organisation has established and Data management policy and procedure: Has the
implemented data management policies and organisation established and implemented data
procedures through the guidelines, requirements management policies and procedures through the
and steps to handle business-critical data guidelines, requirements and steps to handle
(including personal data, company secrets, business-critical data (including personal data,
intellectual property, etc.) at rest, in transit and in company secrets, intellectual property, etc) at
use securely. rest, in transit and in use securely?

B.9.9 Performer The organisation has defined and allocated roles Roles and responsibilities: Has the organisation
and responsibilities to ensure that it is clear who is defined and allocated roles and responsibilities to
responsible to maintain, support and manage the ensure that it is clear who is responsible to
data assets in the inventory list. maintain, support and manage the data assets in
the inventory list?

B.9.10 Performer The organisation using encryption has defined and Cryptography policy: If encryption is used in the
applied a process on the use of recommended organisation, has it defined and applied a process
protocol and algorithm and minimum key length on the use of recommended protocol and
to ensure that it is secure and not obsolete. algorithm and minimum key length to ensure that
it is secure and not obsolete?

B.9.11 Advocate The organisation uses encryption to protect its Cryptography key lifecycle management: Does the
data and has established and implemented organisation use encryption to protect its data,
cryptographic policies and processes to ensure and has established and implemented
that the keys are being handled securely cryptography policies and processes to ensure
throughout the cryptography key management that the keys are being handled securely
lifecycle. throughout the cryptography key management
lifecycle?

B.9.12 Advocate The organisation has established and Secure communication: Has the organisation
implemented policies and procedures allowing established and implemented policies and
only authorised devices with secure protocols to procedures to allow only authorised devices with
communicate, store and transfer business-critical secure protocols to communicate, store and
data (including personal data, company secrets, transfer business-critical data (including personal
intellectual property, etc) in the organisation. data, company secrets, intellectual property, etc)
in the organisation?

Date: 04/24/2024 CONFIDENTIAL Page 31 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.9.13 Advocate The organisation has established and Data protection and privacy risk and initiatives:
implemented policies and procedures to report on Has the organisation established and
data protection and privacy risks and initiatives to implemented policies and procedures to report on
the Board and/or senior management to ensure data protection and privacy risks and initiatives to
that they are kept informed. the Board and/or senior management to ensure
that they are kept informed?

B.10 Domain: Backups

B.10.1 Supporter The organisation has implemented all the cybersecurity
Security
requirements
controls forinCyber
the Cyber
Essentials
Essentials
mark:mark
Has under A.8 Backup: Back up essential data to ensure that the organisati
the organisation implemented all the
cybersecurity requirements in the Cyber Essentials
mark under A.8 Backup: Back up essential data to
ensure that data is backed up and stored
securely?

B.10.2 Practitioner The organisation has implemented all the cybersecurity

Security
recommendations
controls for Cyber
in the
Essentials
Cyber Essentials
mark: Hasmark under A.8 Backup: Back up essential data to ensure that the organ
the organisation implemented all the
cybersecurity recommendations in the Cyber
Essentials mark under A.8 Backup: Back up
essential data to ensure that data is backed up
and stored securely?

B.10.3 Practitioner The organisation has established and Automated backup: Has the organisation
implemented automated backup processes to established and implemented automated backup
ensure that the backup tasks are carried out processes to ensure that the backup tasks are
without fail and without the need for human carried out without fail and without the need for
intervention. human intervention?

B.10.4 Promoter The organisation has established and Backup plans: Has the organisation established
implemented backup plan(s) on the types, and implemented the backup plan(s) on the types,
frequency and storage of backups to ensure that frequency and storage of backups to ensure that
there is clarity of the steps to be taken to backup there is clarity of the steps to be taken to backup
business-critical data in the organisation. business-critical data in the organisation?

Date: 04/24/2024 CONFIDENTIAL Page 32 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.10.5 Promoter The organisation has established and Requirement on backup solution: Has the
implemented the use of technology solutions for organisation established and implemented the
data backup and recovery, and the solutions use of technology solutions for data backup and
implemented are appropriate and recognised in recovery, and the solutions implemented are
the industry to ensure that it can carry out reliable appropriate and recognised in the industry to
data backup and restoration. ensure that it can carry out reliable data backup
and restoration?

B.10.6 Performer The organisation has established and Backup policy and procedure: Has the
implemented backup and recovery policies and organisation established and implemented backup
procedures on the requirements, guidelines and and recovery policies and procedures on the
detailed steps to ensure that there is a consistent requirements, guidelines and detailed steps to
guidance and direction for performing backup and ensure that there is a consistent guidance and
recovery in the organisation. direction for performing backup and recovery in
the organisation?

B.10.7 Performer The organisation has defined and allocated roles Roles and responsibilities for backup: Has the
and responsibilities to ensure that it is clear who is organisation defined and allocated the roles and
responsible and accountable to perform and responsibilities to ensure it is clear on who is
manage backup from creation to destruction. responsible and accountable to perform and
manage backup from creation to destruction?

B.10.8 Advocate The organisation has established and Backup control sheet: Has the organisation
implemented a backup control sheet for the established and implemented a backup control
backup data storage media with the purpose of sheet for the backup data storage media with the
including backup, time of backup, data encryption, purpose of including backup, time of backup, data
retention date and the employee(s) assigned the encryption, retention date and the employee(s)
task of backup to ensure that all the key assigned the task of backup to ensure that all the
information are documented. key information are documented?

B.10.9 Advocate The organisation has established and Has the organisation established and
implemented policies and procedures to report implemented policies and procedures to report
backup related matters to the cybersecurity backup related matters to cybersecurity
committees/forums to ensure that senior committees/forums to ensure that senior
management is kept informed. management is kept informed?

Date: 04/24/2024 CONFIDENTIAL Page 33 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.10.10 Advocate The organisation has established and Backup review: Has the organisation established
implemented policies and procedures to perform and implemented policies and procedures to
reviews on the backup status regularly to ensure perform reviews on the backup status regularly to
that failed backup jobs are addressed and ensure that failed backup jobs are addressed and
remediated. remediated?

B.11 Domain: Bring Your Own Device (BYOD)

B.11.1 Supporter Domain is not assessable for this tier. However,
the organisation should consider the cybersecurity
requirements in the Cyber Essentials mark under:
– A.2 Assets: Hardware and software;
– A.4 Secure/Protect: Virus and malware
protection;
– A.6 Secure/Protect: Secure configuration;
– A.7 Update: Software updates; and
– A.8 Backup: Back up essential data covering
mobile devices.

B.11.2 Practitioner Domain is not assessable for this tier. However,

the organisation should consider the cybersecurity
requirements in the Cyber Essentials mark under:
– A.2 Assets: Hardware and software;
– A.4 Secure/Protect: Virus and malware
protection;
– A.6 Secure/Protect: Secure configuration;
– A.7 Update: Software updates; and
– A.8 Backup: Back up essential data covering
mobile devices.

Date: 04/24/2024 CONFIDENTIAL Page 34 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.11.3 Promoter Domain is not assessable for this tier. However,
the organisation should consider the cybersecurity
requirements in the Cyber Essentials mark under:
– A.2 Assets: Hardware and software;
– A.4 Secure/Protect: Virus and malware
protection;
– A.6 Secure/Protect: Secure configuration;
– A.7 Update: Software updates; and
– A.8 Backup: Back up essential data covering
mobile devices.

B.11.4 Performer The organisation has established and Policies and procedures on BYOD: Has the
implemented policies and procedures on the organisation established and implemented
guidelines, requirements and steps on the use of policies and procedures on the guidelines,
BYOD connecting to the organisation’s network requirements and steps on the use of BYOD
and accessing the organisation’s data to ensure connecting to the organisation's network and
that they conform to the set of security standards, accessing the organisation's data to ensure that
e.g., passcode enabled. they conform to the set of security standards e.g.
passcode enabled?

B.11.5 Advocate The organisation has established and BYOD security controls: Has the organisation
implemented cybersecurity measures within established and implemented cybersecurity
BYOD to manage and enforce organisational controls within BYOD to manage and enforce
security protections such as through the use of organisational security protections such as
Mobile Device Management (MDM). through the use of MDM?

B.11.6 Advocate The organisation has implemented regular review BYOD regular review: Has the organisation
on the use of BYOD accessing business-critical implemented regular review on the use of BYOD
data at least annually to ensure that the devices accessing business-critical data at least annually to
are compliant and safe. ensure that the devices are compliant and safe?

Date: 04/24/2024 CONFIDENTIAL Page 35 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.11.7 Advocate The organisation has established and Data segregation: Has the organisation
implemented policies and procedures to established and implemented policies and
segregate personal and work-related data in the procedures to segregate personal and work-
organisation within BYOD to prevent disclosure related data in the organisation within BYOD to
and loss of confidential and/or sensitive data. prevent disclosure and loss of confidential and/or
sensitive data?

B.12 Domain: System security

B.12.1 Supporter The organisation has implemented all the cybersecurity
Security
requirements
controls forinCyber
the Cyber
Essentials
Essentials
mark:mark
Has under A.6 Secure/Protect: Secure configuration and A.7 Update: Softw
the organisation implemented all the
cybersecurity requirements in the Cyber Essentials
mark under A.6 Access: Secure configuration and
A.7 Update: Software updates to ensure that the
hardware and software uses secure and updated
settings?

B.12.2 Practitioner The organisation has implemented all the cybersecurity

Security
recommendations
controls for Cyber
in the
Essentials
Cyber Essentials
mark: Hasmark under A.6 Secure/Protect: Secure configuration and A.7 Update: S
the organisation implemented all the
cybersecurity recommendations in the Cyber
Essentials mark under A.6 Access: Secure
configuration and A.7 Update: Software updates to
ensure that the hardware and software uses
secure and updated settings?

B.12.3 Practitioner The organisation has performed monitoring on Monitor on updates and patches: Has the
updates and patches installed to ensure that any organisation performed monitoring on updates
impact or adverse effects can be identified and and patches installed to ensure that any impact or
rectified in a timely manner. adverse effects can be identified and rectified in a
timely manner?

B.12.4 Promoter The organisation has defined and applied a Secure configuration process: Has the
process to ensure secure configurations are organisation defined and applied a process to
applied across all systems, servers, operating ensure secure configurations are applied across all
systems and network devices. systems, servers, operating systems and network
devices?

Date: 04/24/2024 CONFIDENTIAL Page 36 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.12.5 Promoter The organisation has defined and applied a log Log management process: Has the organisation
management process to store and classify the defined and applied a log management process to
different types of logs securely to ensure that they store and classify the different types of logs
can be used to troubleshoot effectively. securely to ensure that they can be used to
troubleshoot effectively?

B.12.6 Promoter The organisation has defined and applied a patch Patch management process: Has the organisation
management process to test and install the defined and applied a patch management process
updates and patches securely to ensure that there to test and install the updates and patches
are no adverse effects. securely to ensure that there are no adverse
effects?

B.12.7 Performer The organisation has defined and allocated the System security roles and responsibilities: Has the
roles and responsibilities to oversee, manage and organisation defined and allocated the roles and
monitor the organisation's system security (i.e., responsibilities to oversee, manage and monitor
secure configuration, logging, update and the organisation's system security (i.e. secure
patching) to ensure that employees are clear on configuration, logging, update and patching) to
the tasks assigned to them. ensure that employees are clear of the tasks
assigned to them?

B.12.8 Performer The organisation has established and Secure configuration policy and procedure: Has
implemented policies and procedures on the the organisation established and implemented
security configuration requirements, guidelines policies and procedures on the security
and detailed steps to ensure that they are aligned configuration requirements, guidelines and
with the security standards. detailed steps to ensure that they are aligned with
the security standards?

B.12.9 Performer The organisation has established and Secure logging policy and procedure: Has the
implemented a secure logging policy and organisation established and implemented a
procedure with the requirements, guidelines and secure logging policy and procedure with the
detailed steps to store, retain and delete the logs requirements, guidelines and detailed steps to
from unauthorised access. store, retain and delete the logs from
unauthorised access?

Date: 04/24/2024 CONFIDENTIAL Page 37 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.12.10 Performer The organisation has established and Secure update and patching policy and procedure:
implemented policies and procedures with the Has the organisation established and
requirements, guidelines and detailed steps to implemented policies and procedures with the
perform and install patches/updates to ensure requirements, guidelines and detailed steps to
that the system(s) is/are patched or updated perform and install patches/updates to ensure
within the defined timeframes according to their that the system(s) is/are patched or updated
priority. within the defined timeframes according to their
priority?

B.12.11 Advocate The organisation has implemented a configuration Configuration management tool/solution: Has the
management tool/solution that is appropriate and organisation implemented a configuration
recognised in the industry to ensure that the management tool/solution that is appropriate and
system's configurations are maintained in a recognised in the industry to ensure that the
desired and consistent state. system's configurations are maintained in a
desired and consistent state?

B.12.12 Advocate The organisation has established and System configuration benchmark: Has the
implemented policies and procedures to ensure organisation established and implemented
that the system's configuration requirements are policies and procedures to ensure that the
aligned with the industry benchmarks and system's configuration requirements are aligned
standards, e.g., CIS configuration benchmarks. with the industry benchmarks and standards e.g.,
CIS configurations benchmarks?

B.12.13 Advocate The organisation has established and Compliance process: Has the organisation
implemented policies and procedures to ensure established and implemented policies and
that the systems’ configurations are being procedures to ensure systems' configurations are
complied with the risks as a result of non- being complied with the risks as a result of non-
compliance are being addressed. compliance are being addressed?

B.13 Domain: Anti-virus/Anti-malware

Date: 04/24/2024 CONFIDENTIAL Page 38 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.13.1 Supporter The organisation has implemented all the cybersecurity
Security
requirements
controls forinCyber
the Cyber
Essentials
Essentials
mark:mark
Has under A.4 Secure/Protect: Virus and malware protection to ensure tha
the organisation implemented all the
cybersecurity requirements in the Cyber Essentials
mark under A.4 Access: Virus and malware
protection to ensure that there is security
protection against malicious software such as
virus?

B.13.2 Practitioner The organisation has implemented all the cybersecurity

Security
recommendations
controls for Cyber
in the
Essentials
Cyber Essentials
mark: Hasmark under A.4 Secure/Protect: Virus and malware protection to ensur
the organisation implemented all the
cybersecurity recommendations in the Cyber
Essentials mark under A.4 Access: Virus and
malware protection to ensure that there is
security protection against malicious software
such as virus?

B.13.3 Practitioner The organisation has established and Selection of anti-virus and/or anti-malware
implemented the use of anti-virus and/or anti- solution: Has the organisation established and
malware solution(s) that is/are appropriate and implemented the use of anti-virus and/or anti-
recognised in the industry with features such as malware solution(s) that is/are appropriate and
real-time malware detection and email protection, recognised in the industry with features such as
to ensure that it/they can protect the organisation real-time malware detection and email protection,
adequately. to ensure that it/they can protect the organisation
adequately?

B.13.4 Practitioner The organisation has established and Web filtering: Has the organisation established
implemented web filtering to protect the business and implemented web filtering to protect the
from surfing malicious sites. business from surfing malicious sites?

B.13.5 Practitioner The organisation has defined and applied the Virus and/or malware isolation: Has the
process to isolate and contain the virus and/or organisation defined and applied the process to
malware upon confirmation of attack to ensure isolate and contain the virus and/or malware
minimal spread and damage caused. upon confirmation of attack to ensure minimal
spread and damage caused?

Date: 04/24/2024 CONFIDENTIAL Page 39 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.13.6 Promoter The organisation has defined and applied the Isolation of codes or applications: Has the
process to run codes or applications of unknown organisation defined and applied the process to
origin within an isolated testing environment to run codes or applications of unknown origin
test for the presence of virus and/or malware within an isolated testing environment to test for
prior to their use in the working environment. the presence of virus and/or malware prior to
their use in the working environment?

B.13.7 Performer The organisation has defined and allocated the Define roles and responsibilities: Has the
roles and responsibilities for employees to organisation defined and allocated the roles and
oversee, manage and maintain the anti-virus responsibilities for employees to oversee, manage
and/or anti-malware solution(s) to ensure clarity and maintain the anti-virus and/or anti-malware
for the relevant employees of their required tasks. solution(s) to ensure clarity of the relevant
employees of their required tasks?

B.13.8 Advocate The organisation has established and Threat intelligence: Has the organisation
implemented policies and processes to subscribe established and implemented policies and
to threat intelligence with external parties and to processes to subscribe to threat intelligence with
share and verify information relating to external parties and to share and verify
cyberattacks which includes virus and/or malware information relating to cyberattacks which
attacks. includes virus and/or malware attacks?

B.13.9 Advocate The organisation has established and Reporting on virus and/or malware: Has the
implemented policies and processes to review and organisation established and implemented
report findings on virus and/or malware to the policies and processes to review and report
Board and/or senior management to ensure that findings on virus and/or malware to the Board
they are kept informed. and/or senior management to ensure that they
are kept informed?

B.13.10 Advocate The organisation has established and Early detection of virus and/or malware: Has the
implemented scanning and detection on organisation established and implemented
indicators of compromise to ensure that scanning and detection on indicators of
anomalies and suspicious activities can be compromise to ensure that anomalies and
identified early. suspicious activities can be identified early?

B.14 Domain: Secure Software Development Life Cycle (SDLC)

Date: 04/24/2024 CONFIDENTIAL Page 40 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.14.1 Supporter Domain is not assessable for this tier.
B.14.2 Practitioner Domain is not assessable for this tier.
B.14.3 Promoter Domain is not assessable for this tier.
B.14.4 Performer Domain is not assessable for this tier.
B.14.5 Advocate The organisation has established and SDLC framework: Has the organisation established
implemented a SDLC framework with and implemented a SDLC framework with
cybersecurity measures and requirements to cybersecurity measures and requirements to
manage the software development life cycle to manage software development life cycle to ensure
ensure that areas such as data integrity, that areas such as data integrity, authentication,
authentication, authorisation, accountability and authorisation, accountability and exception
exception handling can be addressed. handling can be addressed?

B.14.6 Advocate The organisation has established and Secure system and/or application development:
implemented security guidelines and Has the organisation established and
requirements in its system and/or application implemented security guidelines and
development, e.g., secure coding to ensure that it requirements in its system and/or application
adheres to the security principles. development e.g. secure coding to ensure that it
adheres to the security principles?

B.14.7 Advocate The organisation has established and Change management policy and process: Has the
implemented the change management policy and organisation established and implemented change
process to ensure that changes or deployment to management policy and process to ensure that
the production environment is reviewed and changes or deployment to the production
tested securely with a rollback plan in place to environment is reviewed and tested securely with
ensure that the change is controlled. a rollback plan in place to ensure that the change
is controlled?

B.14.8 Advocate The organisation has established and System and/or application security testing: Has
implemented a policy and process to perform the organisation established and implemented a
security testing on the system and/or application policy and process to perform security testing on
before deployment to ensure that the security the system and/or application before deployment
weaknesses and vulnerabilities are identified. to ensure that the security weaknesses and
vulnerabilities are identified?

Date: 04/24/2024 CONFIDENTIAL Page 41 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.15 Domain: Access control
B.15.1 Supporter The organisation has implemented all the cybersecurity
Security
requirements
controls forinCyber
the Cyber
Essentials
Essentials
mark:mark
Has under A.5 Secure/Protect: Access control to ensure that there are cybe
the organisation implemented all the
cybersecurity requirements in the Cyber Essentials
mark under A.5 Access: Access control to ensure
that there are cybersecurity measures in place
over who has access to the data and assets?

B.15.2 Practitioner The organisation has implemented all the cybersecurity

Security
recommendations
controls for Cyber
in the
Essentials
Cyber Essentials
mark: Hasmark under A.5 Secure/Protect: Access control to ensure that there are
the organisation implemented all the
cybersecurity recommendations in the Cyber
Essentials mark under A.5 Access: Access control
to ensure that there are cybersecurity measures in
place over who has access to the data and assets?

B.15.3 Practitioner The organisation performs regular role matrix Role matrix review: Does the organisation
review at least on an annual basis on the systems perform regular role matrix review at least on an
to ensure that the roles commensurate with the annual basis on the systems to ensure that the
activities the employee, contractor and/or third roles commensurate with the activities the
party is allowed to perform. employee, contractor and/or third party is
allowed to perform?

B.15.4 Promoter The organisation has defined and applied a Account access and role matrix review follow-up
process to approve and follow up on account process: Has the organisation defined and applied
access and role matrix review to ensure that a process to approve and follow up on account
unauthorised entry has been rectified and signed access and role matrix review to ensure that
off. unauthorised entry has been rectified and signed
off?

B.15.5 Promoter The organisation has defined and applied a Process of least privileged and segregation of
process to ensure that employees are assigned duties: Has the organisation defined and applied a
roles based on principle of least privilege and process to ensure that employees are assigned
segregation of duties. roles based on principle of least privilege and
segregation of duties?

Date: 04/24/2024 CONFIDENTIAL Page 42 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.15.6 Promoter The organisation has established and Secure logon policy and procedure: Has the
implemented a secure logon policy and procedure organisation established and implemented a
on the requirements, guidelines and detailed secure logon policy and procedure on the
steps of gaining access to sensitive and/or requirements, guidelines and detailed steps of
business-critical data as well as privileged access gaining access to sensitive and/or business-critical
to ensure that the access is controlled and data as well as privileged access to ensure that the
restricted. access is controlled and restricted?

B.15.7 Performer The organisation has established and Passphrase policy and procedure: Has the
implemented a passphrase policy and procedure organisation established and implemented a
on the requirements, guidelines and detailed passphrase policy and procedure on the
steps on setting and updating passphrases to requirements, guidelines and detailed steps on
provide guidance and direction on what setting and updating passphrases to provide
constitutes strong passphrases. guidance and direction on what constitutes strong
passphrases?

B.15.8 Performer The organisation has established and User access control policy and procedure: Has the
implemented a user access control policy and organisation established and implemented a user
procedure on the requirements, guidelines and access control policy and procedure on the
detailed steps to restrict and authorise users’ requirements, guidelines and detailed steps to
access to the organisation’s assets. restrict and authorise users' access to the
organisation's assets?

B.15.9 Performer The organisation has established and Remote access policy, process and procedure: Has
implemented secure remote access policies and the organisation established and implemented
procedures on the requirements, guidelines and secure remote access policies, processes and
detailed steps to protect the information being procedures on the requirements, guidelines and
accessed remotely. detailed steps to protect the information being
accessed remotely?

Date: 04/24/2024 CONFIDENTIAL Page 43 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.15.10 Advocate The organisation has established and Review and reporting of suspected access
implemented policies and processes to review any compromise: Has the organisation established and
sign of access compromise and to report the implemented policies and processes to review any
result to the Board and/or senior management to sign of access compromise and to report the
ensure that they are kept informed. result to Board and/or senior management to
ensure that they are kept informed?

B.15.11 Advocate The organisation has established and Privileged access solution: Has the organisation
implemented a privileged access solution that is established and implemented privileged access
appropriate and recognised in the industry to solution that is appropriate and recognised in the
authenticate users and authorise access based on industry to authenticate users and authorise
their roles to ensure that there is a more efficient access based on their roles to ensure that there is
and effective way of managing access. a more efficient and effective way of managing
access?

B.16 Domain: Cyber threat management

B.16.1 Supporter Domain is not assessable for this tier.
B.16.2 Practitioner Domain is not assessable for this tier. However,
the organisation should ensure that logging is
enabled for software and hardware assets, e.g.,
systems, events, security and debugging logs.

B.16.3 Promoter Domain is not assessable for this tier. However,

the organisation shall ensure that logging is
enabled for software and hardware assets, e.g.,
systems, events, security and debugging logs.

B.16.4 Performer The organisation has established and Logs monitoring policy, process and procedures:
implemented a log monitoring policy, process and Has the organisation established and
procedure on the requirements, guidelines and implemented a log monitoring policy, process and
detailed steps to perform monitoring of security procedure on the requirements, guidelines and
logs for threats and abnormality. detailed steps to perform monitoring of security
logs for threats and abnormality?

Date: 04/24/2024 CONFIDENTIAL Page 44 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.16.5 Performer The organisation has defined and allocated the Log monitoring roles and responsibilities: Has the
roles and responsibilities to carry out log organisation defined and allocated the roles and
monitoring and review on its systems, responsibilities to carry out log monitoring and
investigating the incidents and reporting to review on its systems, investigating the incidents
relevant stakeholders. and reporting to relevant stakeholders?

B.16.6 Performer The organisation has implemented Security Security Information and Event Management
Information and Event Management (SIEM) to (SIEM): Has the organisation implemented SIEM to
store the logs centrally for correlation and to store the logs centrally for correlation and to
ensure that the logs are monitored more ensure that the logs are monitored more
effectively. effectively?

B.16.7 Performer The organisation has established and Security baseline profile: Has the organisation
implemented a security baseline profile on its established and implemented a security baseline
systems to analyse and perform monitoring to profile on its systems to analyse and perform
ensure that anomalies are identified. monitoring to ensure that any anomalies are
identified?

B.16.8 Performer The organisation has established and Response: Has the organisation established and
implemented policies and procedures on the implemented policies and procedures on the
requirements, guidelines and detailed steps to requirements, guidelines and detailed steps to
carry out in response upon detection of abnormal carry out in response upon detection of abnormal
or suspicious logs to ensure that they are or suspicious logs to ensure that they are
investigated, reported and remediated in a timely investigated, reported and remediated in a timely
manner. manner?

B.16.9 Advocate The organisation has established and Advanced analytics : Has the organisation
implemented advanced analytics processes and established and implemented advanced analytics
solutions that are appropriate and recognised in processes and solutions that are appropriate and
the industry to detect against abnormal systems recognised in the industry to detect against
and user behaviour, e.g., user behaviour analytics. abnormal system and user behaviour, e.g., user
behaviour analytics?

Date: 04/24/2024 CONFIDENTIAL Page 45 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.16.10 Advocate The organisation has established and Reporting to Board and/or senior management:
implemented reporting requirements and Has the organisation established and
dashboards to report detected cybersecurity implemented reporting requirements and
incidents or anomalies based on their severity to dashboards to report detected cybersecurity
the Board and/or senior management. incidents or anomalies based on their severity to
the Board and/or senior management?

B.16.11 Advocate The organisation has established and Threat hunting: Has the organisation established
implemented measures and processes to and implemented measures and processes to
proactively search for threats that are hidden in proactively search for threats that are hidden in
its IT environment. its IT environment?

B.17 Domain: Third-party risk and oversight

B.17.1 Supporter Domain is not assessable for this tier. However,
the organisation should ensure that section A.5.4
(b), (g) and (h) in the Cyber Essentials mark under
A.5 Secure/Protect: Access control domain on
third parties have been implemented.

They should also consider the section on securing

your access and environment in CSA's
cybersecurity toolkit for SME owners and/or
educating your employees on security and
securing your access and environment in CSA's
cybersecurity toolkit for organisation leaders
and/or IT teams.

Date: 04/24/2024 CONFIDENTIAL Page 46 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.17.2 Practitioner Domain is not assessable for this tier. However,
the organisation should ensure that section A.5.4
(b), (g) and (h) in the Cyber Essentials mark under
A.5 Secure/Protect: Access control domain on
third parties have been implemented.

They should also consider the section on securing

your access and environment in CSA’s
cybersecurity toolkit for SME owners and/or
educating your employees on security and
securing your access and environment in CSA’s
cybersecurity toolkit for organisation leaders
and/or IT teams.

B.17.3 Promoter Domain is not assessable for this tier. However,

the organisation should ensure that section A.5.4
(b), (g) and (h) in the Cyber Essentials mark under
A.5 Secure/Protect: Access control domain on
third parties have been implemented.
They should also consider the section on securing
your access and environment in CSA's
cybersecurity toolkit for SME owners and/or
educating your employees on security and
securing your access and environment in CSA's
cybersecurity toolkit for organisation leaders
and/or IT teams.

Date: 04/24/2024 CONFIDENTIAL Page 47 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.17.4 Performer Domain is not assessable for this tier. However,
the organisation should ensure that section A.5.4
(b), (g) and (h) in the Cyber Essentials mark under
A.5 Secure/Protect: Access control domain on
third parties have been implemented.

They should also consider the section on securing

your access and environment in CSA's
cybersecurity toolkit for SME owners and/or
educating your employees on security and
securing your access and environment in CSA's
cybersecurity toolkit for organisation leaders
and/or IT teams.

B.17.5 Advocate The organisation has established and Service level Agreement: Has the organisation
implemented service level agreements with its established and implemented service level
third parties to ensure that the third party meets agreements with its third parties to ensure that
the commitments and expectations on the third party meets the commitments and
cybersecurity while providing services. expectations on cybersecurity while providing
services?

B.17.6 Advocate The organisation has established and Security obligations for third parties: Has the
implemented measures to ensure that third organisation established and implemented
parties are informed of their security obligations measures to ensure that third parties are
and to ensure that a security shared responsibility informed of their security obligations and to
model is established for systems security and data ensure that a security shared responsibility model
protection; this shall include the organisation's is established for systems security and data
CSPs and data centre service providers. protection, including the organisation's CPSs and
data centre service providers?

Date: 04/24/2024 CONFIDENTIAL Page 48 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.17.7 Advocate The organisation has established and Security assessments while engaging third parties:
implemented measures to assess their third Has the organisation established and
parties before engaging them or on-boarding implemented measures to assess their third
them to ensure that they meet all required parties before engaging them or on-boarding
security obligations based on the risks for the type them to ensure that they meet all required
of services provided by them. security obligations based on the risks for the type
of services provided by them?

B.17.8 Advocate The organisation has established and Periodic assessment of third parties: Has the
implemented measures to assess their third organisation established and implemented
parties regularly based on security obligations measures to assess their third parties regularly
agreed on systems security and data protection. based on security obligations agreed on systems
security and data protection?

B.17.9 Advocate The organisation has established and Reporting to Board and/or senior management:
implemented measures to ensure that third-party Has the organisation has established and
cybersecurity risk management practices such as implemented measures to ensure that third-party
assessments performed and open risks from third risk management practices such as assessments
parties engaged are reported to the Board and/or performed and open risks from third parties
senior management to keep them informed. engaged are reported to the Board and/or senior
management to keep them informed?

B.18 Domain: Vulnerability assessment

B.18.1 Supporter Domain is not assessable for this tier.
B.18.2 Practitioner Domain is not assessable for this tier.
B.18.3 Promoter The organisation has established a vulnerability Vulnerability assessment plan: Has the
assessment plan with objectives, scope and organisation established a vulnerability
requirements to review and perform vulnerability assessment plan with objectives, scope and
assessment on its systems. requirements to review and perform vulnerability
assessment on its systems?

B.18.4 Promoter The organisation performs regular vulnerability Vulnerability assessment: Does the organisation
assessment at least on an annual basis to perform perform regular vulnerability assessment at least
non-intrusive scans on its systems to ensure that on an annual basis to perform non-intrusive scans
vulnerabilities are discovered. on its systems to ensure that vulnerabilities are
discovered?

Date: 04/24/2024 CONFIDENTIAL Page 49 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.18.5 Performer The organisation has defined and allocated roles Roles and responsibilities: Has the organisation
and responsibilities for its employees on carrying defined and allocated roles and responsibilities for
out cybersecurity vulnerability assessment and its employees on carrying out cybersecurity
management. vulnerability assessment and management?

B.18.6 Performer The organisation has established and Vulnerability assessment policy and procedure:
implemented policies and procedures on the Has the organisation established and
requirements, guidelines and detailed steps for implemented policies and procedures on the
conducting cybersecurity vulnerability requirements, guidelines and detailed steps for
assessments across its systems to ensure that conducting cybersecurity vulnerability
steps are taken to address the associated risk assessments across its systems to ensure that
vulnerabilities identified in a timely manner. steps are taken to address the associated risk
vulnerabilities identified in a timely manner.

B.18.7 Performer The organisation has established and Tracking and remediating identified
implemented measures and processes to track, vulnerabilities: Has the organisation established
review, evaluate and address the vulnerabilities and implemented measures and processes to
uncovered as part of the assessments to ensure track, review, evaluate and address the
that the vulnerabilities are being remediated vulnerabilities uncovered as part of the
according to their severity. assessments to ensure that the vulnerabilities are
being remediated according to their severity?

B.18.8 Advocate The organisation has established and Penetration test plan: Has the organisation
implemented a penetration test plan with the established and implemented a penetration test
objectives, scope, rules of engagement to ensure plan with the objectives, scope, rules of
that the penetration test can be performed safely. engagement to ensure that the penetration test
can be performed safely?

B.18.9 Advocate The organisation performs a regular penetration Penetration testing: Does the organisation
test at least on an annual basis to discover and perform a regular penetration test at least on an
exploit security weakness(es) in its systems to annual basis to discover and exploit security
ensure that its system's security can be evaluated. weakness(es) in its systems to ensure that its
system's security can be evaluated?

Date: 04/24/2024 CONFIDENTIAL Page 50 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.18.10 Advocate The organisation has established and Follow up on vulnerability assessment findings:
implemented metrics and thresholds including Has the organisation established and
dashboards to provide reporting and tracking of implemented metrics and thresholds including
open, overdue and severe vulnerabilities noted dashboards to provide reporting and tracking of
within its systems in order to provide visibility on open, overdue and severe vulnerabilities noted
tracking and remediations within established within its systems in order to provide visibility on
timelines. tracking and remediations within established
timelines?

B.18.11 Advocate The organisation has established and Reporting of vulnerability assessment result: Has
implemented practices and measures to regularly the organisation established and implemented
report on the vulnerability assessment results and practices and measures to regularly report on the
findings to the Board and/or senior management. vulnerability assessment results and findings to
the Board and/or senior management?

B.19 Domain: Physical/environmental security

B.19.1 Supporter Domain is not assessable for this tier. However,
the organisation should consider the section on
cultivating cybersecurity leadership in the
organisation, educating your employees on
cybersecurity, securing your access and
environment and protecting your information
assets in CSA's cybersecurity toolkit for SME
owners, organisation leaders and/or IT teams.

B.19.2 Practitioner The organisation has identified the Detective control: Has the organisation identified
physical/environmental risks in its environment the physical/environmental risks in its
and implemented detective measures to be environment and implemented detective
alerted on threats to ensure that they are measures to be alerted on threats to ensure that
addressed in a timely manner. they are addressed in a timely manner?

Date: 04/24/2024 CONFIDENTIAL Page 51 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.19.3 Practitioner The organisation has performed measures to Protection against internal and external threats:
protect its physical assets against internal and Does the organisation perform measures to
external threats, e.g., the use of cable locks to protect its physical assets against internal and
ensure that they are not stolen or tampered with. external threats, e.g., the use of cable lock to
ensure that they are not stolen or tampered with?

B.19.4 Practitioner The organisation has implemented physical Security perimeter: Has the organisation
security measures on its perimeters e.g., fence implemented physical security measures on its
and gate to deter unauthorised access into the perimeter, e.g., fence and gate to deter
premises of the organisation. unauthorised access into the premises of the
organisation?

B.19.5 Promoter The organisation has defined and implemented Preventive process: Has the organisation defined
the process to ensure that visitors are registered and implemented the process to ensure that
and authorised before having access to the visitors are registered and authorised before
premises of the organisation. having access to the premises of the organisation?

B.19.6 Promoter The organisation has defined and implemented Monitoring process: Has the organisation defined
the process to monitor its premises on a 24/7 and implemented the process to monitor its
basis, e.g., through the use of CCTV to deter and premises on a 24/7 basis, e.g., through the use of
investigate on any physical/environmental CCTV to deter and investigate on any
threats. physical/environmental threats?

B.19.7 Promoter The organisation has defined and applied the Physical media handling process: Has the
process to store and transport physical media organisation defined and applied the process to
containing business-critical data securely within store and transport physical media containing
and out of its premises to ensure that confidential business-critical data securely within and out of
and/or sensitive data are protected. the premise to ensure confidential and/or
sensitive are protected?

Date: 04/24/2024 CONFIDENTIAL Page 52 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.19.8 Performer The organisation has established and Physical/environmental security policy and
implemented the policies and procedures on the procedure: Has the organisation established and
requirements, guidelines and detailed steps for implemented the policies and procedures with the
escalations and security access controls to requirements, guidelines and detailed steps for
minimise the impact and interference to its escalations security access controls to minimise
physical environment. the impact and interference to its physical
environment?

B.19.9 Performer The organisation has defined and allocated the Roles and responsibilities: Has the organisation
roles and responsibilities in detecting, mitigating defined and allocated the roles and
and responding against physical/environmental responsibilities in detecting, mitigating and
risks to ensure that employees are clear of the responding against physical/environmental risks
tasks assigned to them. to ensure yjay employees are clear of the tasks
assigned to them?

B.19.10 Performer The organisation has established and Physical/environment review: Has the
implemented the policies and procedures on the organisation established and implemented the
requirements, guidelines and detailed steps to policies and procedures on the requirements,
perform reviews on the physical security guidelines and detailed steps to perform reviews
measures and assets to ensure that they remain on the physical security measures and assets to
secure. ensure that they remain secure?

B.19.11 Advocate The organisation has established and Reporting of physical/environmental risks: Has the
implemented policies or processes to report organisation established and implemented
physical/environmental risks and controls to the policies and processes to report
Board and/or senior management to ensure that physical/environmental risk and controls to the
they are kept informed of the risks. Board and/or senior managed to ensure that they
are kept informed of the risks?

B.19.12 Advocate The organisation has established and Improvement on physical/environmental controls:
implemented a process to review and improve the Has the organisation established and
physical/environmental security measures to implemented a process to review and improve the
ensure that they are effective. physical/environmental security measures to
ensure that they are effective?

B.20 Domain: Network security

Date: 04/24/2024 CONFIDENTIAL Page 53 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.20.1 Supporter Domain is not assessable for this tier. However,
the organisation should ensure that A.2 Assets:
Hardware and software domain, A.4.4 (f), (g), (h)
and (k) under A.4 Secure/Protect: Virus and
malware protection and A.6 Secure/Protect:
Secure configuration in the Cyber Essentials mark
on network security have been implemented.

They should also consider the section on

protecting your information assets in CSA's
cybersecurity toolkit for SME owners and/or
protecting your information assets and securing
your access and environment in CSA's
cybersecurity toolkit for organisation leaders
and/or IT teams.

B.20.2 Practitioner The organisation has configured and implemented Access control to the network: Has the
access control (e.g., whitelisting, blacklisting) to its organisation configured and implemented access
network to enforce network security policy and control (e.g., whitelisting, blacklisting) to its
ensure that unauthorised users and/or devices are network to enforce network security policy and
kept out. ensure that unauthorised users and/or devices are
kept out?

B.20.3 Practitioner The organisation has established and Stateful firewall: Has the organisation established
implemented the use of stateful firewall over and implemented the use of stateful firewall over
basic packet filtering firewall to ensure that basic packet filtering firewall to ensure yjay
packets are filtered with more context for greater packets are filtered with more context for greater
effectiveness. effectiveness?

B.20.4 Practitioner The network architecture and devices have been Network security review: Have the network
reviewed regularly at least on an annual basis to architecture and devices been reviewed regularly
ensure that they are up to date without obsolete at least on an annual basis to ensure yjay they are
rules and protocols. up to date without obsolete rules and protocols?

Date: 04/24/2024 CONFIDENTIAL Page 54 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.20.5 Promoter The organisation has defined and implemented Network security process: Has the organisation
the process to configure both wired and wireless defined and implemented the process to
networks securely, minimally with the use of configure both wired and wireless networks
secure network authentication and encryption securely, minimally with the use of secure
protocol and disabling Wi-Fi Protected Setup network authentication and encryption protocol
(WPS) to ensure that the network is secured and and disabling Wi-Fi Protected Setup (WPS) to
data is not lost or breached through the network. ensure that the network is secured and data is not
lost or breached through the network?

B.20.6 Promoter The organisation has defined and applied a Network segmentation: Has the organisation
process to carry out network segmentation to defined and applied a process to carry out
segregate into private and public networks with network segmentation to segregate into private
the private network holding all the business- and public networks with the private network
critical data and having no connection to the holding all the business-critical data and having no
Internet to ensure that it is isolated from external connection to the Internet to ensure that it is
threats. isolated from external threats?

B.20.7 Performer The organisation has established and Network security policies and procedures: Has the
implemented security policies and procedures organisation established and implemented
with the requirements, guidelines and detailed security policies and procedures with the
steps to harden the network architecture, device requirements, guidelines and detailed steps to
and access security. harden the network architecture, device and
access security?

B.20.8 Performer The organisation has defined and allocated roles Roles and responsibilities: Has the organisation
and responsibilities to oversee, manage and defined and allocated roles and responsibilities to
monitor network security to ensure that the oversee, manage and monitor network security to
employees are clear of the tasks assigned to them. ensure that the employees are clear of the tasks
assigned to them?

Date: 04/24/2024 CONFIDENTIAL Page 55 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.20.9 Performer The organisation has established and Network Intrusion Detection: Has the organisation
implemented network intrusion detection on the established and implemented network intrusion
organisation’s network to monitor and detect detection on the organisation's network to
malicious network traffic to ensure that they can monitor and detect malicious network traffic to
be identified and addressed in a timely manner. ensure that they can be identified and addressed
in a timely manner?

B.20.10 Advocate The organisation has established and Improvement on network security devices: Has
implemented the policies and processes to the organisation established and implemented the
evaluate the performance of the network security policies and processes to evaluate the
devices in terms of their effectiveness in blocking performance of the network security devices in
malicious traffic and carrying out improvements. term of its effectiveness in blocking malicious
traffic and carrying out improvements?

B.20.11 Advocate The organisation has established and Network Intrusion Prevention: Has the
implemented network intrusion prevention on the organisation established and implemented
organisation’s network to block malicious network network intrusion prevention on the
traffic and ensure that it is protected from threats. organisation's network to block malicious network
traffic and ensure that it is protected from
threats?

B.21 Domain: Incident response

B.21.1 Supporter The organisation has implemented all the cybersecurity
Security
requirements
controls forinCyber
the Cyber
Essentials
Essentials
mark:mark
Has under A.9 Respond: Incident response to ensure that it is ready to dete
the organisation implemented all the
cybersecurity requirements in the Cyber Essentials
mark under A.9 Respond: Incident response to
ensure that it is ready to detect, respond to, and
recover from cybersecurity incidents?

Date: 04/24/2024 CONFIDENTIAL Page 56 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.21.2 Practitioner The organisation has implemented all the cybersecurity
Security
recommendations
Controls for Cyber
in the
Essentials
Cyber Essentials
mark: Hasmark under A.9 Respond: Incident response to ensure they are ready to
the organisation implemented all the
cybersecurity recommendations in the Cyber
Essentials mark under A.9 Respond: Incident
response to ensure that it is ready to detect,
respond to, and recover from cybersecurity
incidents?

B.21.3 Promoter The organisation has defined and applied Communication: Has the organisation defined and
measures to verify the contact details and ensure applied measures to verify the contact details and
that the employees involved in the cybersecurity ensure that the employees involved in the
incident response plan are contactable to ensure cybersecurity incident response plan are
that they are able to respond in a timely manner. contactable to ensure that they are able to
respond in a timely manner?

B.21.4 Promoter The organisation has defined and applied the Cyber exercise: Has the organisation defined and
process to perform cyber exercises to ensure that applied the process to perform cyber exercise to
the stakeholders are involved and know what to ensure that the stakeholders are involved and
do when an incident occurs to ensure that they know what to do when an incident occurs to
are well prepared. ensure that they are well prepared?

B.21.5 Performer The organisation has defined and applied a Post-incident review: Has the organisation defined
process to carry out post-incident review against and applied a process to carry out post-incident
the cyber exercise or cybersecurity incident to review against the cyber exercise or cybersecurity
identify areas of improvement and ensure that incident to identify areas of improvement and
the incident response plan and process can be ensure that the incident response plan and
strengthened. process can be strengthened?

B.21.6 Performer The organisation has defined and established the Incident investigation: Has the organisation
policies and procedures on the requirements, established and implemented the policies and
guidelines and detailed steps to conduct procedures on the requirements, guidelines and
investigation into the incident to gather evidence detailed steps to conduct investigation into the
to ensure that they are able to identify the root incident to gather evidence to ensure that they
cause. are able to identify the root cause?

Date: 04/24/2024 CONFIDENTIAL Page 57 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.21.7 Advocate The organisation has established and incorporated Crisis management plan: Has the organisation
cybersecurity-related incidents into its crisis established and incorporated cybersecurity-
management plan to respond against incidents of related incidents into its crisis management plan
higher magnitude and impact to ensure that they to respond against incidents of higher magnitude
are treated with the appropriate urgency. and impact to ensure that they are treated with
the appropriate urgency?

B.21.8 Advocate The organisation has established and Incident Reporting to Board and/or senior
implemented the policy and process to report management: Has the organisation established
cybersecurity incidents and conclude the findings and implemented the policy and process to report
to the Board and/or senior management to cybersecurity incidents and conclude the findings
ensure that they are kept informed. to the Board and/or senior management to
ensure that they are kept informed?

B.22 Domain: Business continuity/Disaster recovery

B.22.1 Supporter Domain is not assessable for this tier. However,
the organisation should consider the section on
ensuring the business is cyber resilient in CSA's
cybersecurity toolkit for SME owners, organisation
leaders and/or IT teams.

B.22.2 Practitioner The organisation has identified the critical assets Identifying assets requiring high availability: Has
in the organisation that require high availability the organisation identified the critical assets in the
and performed measures to ensure that there are organisation that require high availability and
redundancies for them. performed measures to ensure that there are
redundancies for them?

B.22.3 Promoter The organisation has defined and applied the Business impact analysis: Has the organisation
process of business impact analysis to identify the defined and applied the process of business
critical processes and expected Recovery Time impact analysis to identify the critical processes
Objectives (RTO) and Recovery Point Objectives and expected RTO and RPO for business
(RPO) for business resumption. resumption?

B.22.4 Promoter The organisation has defined and applied the Redundancy process: Has the organisation defined
process to perform redundancy on systems to and applied the process to perform redundancy
ensure the cyber resilience of its systems. on systems to ensure the cyber resilience of its
systems?

Date: 04/24/2024 CONFIDENTIAL Page 58 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.22.5 Performer The organisation has established and Business continuity/disaster recovery policy: Has
implemented the business continuity/disaster the organisation established and implemented the
recovery policies with the requirements, roles and business continuity/disaster recovery policies with
responsibilities and guidelines including the the requirements, roles and responsibilities and
recovery time objectives (RTO) and recovery point guidelines including the RTO and RPO to ensure
objectives (RPO) to ensure that business that business resumption can be carried out in
resumption can be carried out in accordance with accordance with the system's criticality?
the system’s criticality.

B.22.6 Performer The organisation has established and Business continuity/disaster recovery plan: Has
implemented a business continuity/disaster the organisation established and implemented a
recovery plan to respond and recover against the business continuity/disaster recovery plan to
common business disruption scenarios including respond and recover against the common
those caused by cybersecurity incidents to ensure business disruption scenarios including those
cyber resiliency. caused by cybersecurity incidents to ensure cyber
resiliency.

B.22.7 Performer The organisation performs regular reviews at least Business continuity/disaster recovery plan review:
on an annual basis on the business Does the organisation perform regular reviews at
continuity/disaster recovery plan to ensure it is least on an annual basis on the business
kept up to date. continuity/disaster recovery plan to ensure that it
is kept up to date?

B.22.8 Performer The organisation has established and Business continuity/disaster recovery plan test:
implemented the policy and process to test on its Has the organisation established and
business continuity/disaster recovery plan implemented the policy process to test on its
regularly at least on an annual basis to ensure the business continuity/disaster recovery plan
effectiveness of the plan in achieving its regularly at least on an annual basis to ensure the
objectives. effectiveness of the plan in achieving its
objectives?

B.22.9 Advocate The organisation performs monitoring on the RTO Monitoring against RTO/RPO: Does the
and RPO during business continuity/disaster organisation perform monitoring on the RTO and
recovery to ensure that they fall within the targets RPO during business continuity/disaster recovery
and report the findings to the Board and/or senior to ensure that it falls within the targets and report
management. the findings to the Board and/or senior
management?

Date: 04/24/2024 CONFIDENTIAL Page 59 of 74

Cyber Trust mark — Self-assessment questionnaire

Clause Preparedness Clause Description Question Organisation Provide justification if

Tier Response "Not applicable"
B.22.10 Advocate The organisation performs coordinated business Business continuity/disaster recovery exercise:
continuity/disaster recovery exercises with its Does the organisation perform coordinated
third parties for an extended period of time to business continuity/disaster recovery exercise
evaluate the effectiveness of the processes and with its third parties for an extended period of
procedures. time to evaluate the effectiveness of the
processes and procedures?

Date: 04/24/2024 CONFIDENTIAL Page 60 of 74

Cyber Trust mark — Self-assessment questionnaire

3.2 Cyber preparedness questionnaire for Cyber Trust mark – Clauses reference in Cyber Essentials mark

Cyber Essential Cyber Trust Cyber Trust Implementation

Clause Clause Description Clause Preparedness Tier status Remarks

A.1 Assets: People – Equip employees with know-how to be the first line of defence
A.1.4 (a) The organisation shall put in place cybersecurity awareness training for all B.7.1 Supporter
employees to ensure that employees are aware of the security practices and
behaviour expected of them. Organisations may meet this requirement in
different ways, e.g., provide self-learning materials for employees or
engaging external training providers.

A.1.4 (b) Cyber hygiene practices and guidelines shall be developed for employees to B.7.1 Supporter
adopt in their daily operations.
A.1.4 (c) The cyber hygiene practices and guidelines should include topics to mitigate B.7.2 Practitioner
cybersecurity incidents arising from the human factor as follows:

– Protect yourself from phishing;

– Set strong passphrase and protect them;
– Protect your corporate and/or personal devices (used for work);
– Report cybersecurity incidents;
– Handle and disclose business-critical data carefully; and
– Work onsite and remotely in a secure manner.

A.1.4 (d) Where feasible, the training content should be differentiated based on the B.7.2 Practitioner
role of the employees:
– Senior management or business leaders – e.g., developing a
cybersecurity culture/mindset in the organisation or establishing a
cybersecurity strategy or workplan.
– Employees – e.g., using strong passphrases and protecting the
corporate and/or personal devices used for work.

A.1.4 (e) As good practice, such cybersecurity awareness initiatives should be B.7.2 Practitioner
conducted at least annually to refresh employees’ awareness.
A.2 Assets: Hardware and software – Know what hardware and software the organisation has and protect them
A.2.4 (a) An up-to-date asset inventory of all the hardware and software assets shall B.8.1 Supporter
be maintained in the organisation. Organisations may meet this
requirement in different ways, e.g., use of spreadsheet or IT asset
management software to maintain the IT asset inventory.

A.2.4 (b) Hardware assets within the scope of certification may include servers, B.8.2 Practitioner
network devices, laptops and computers. If the scope of the certification
includes hardware assets such as mobile devices and/or IoT devices:

Mobile devices
– Organisations should include company-issued mobile devices as part of
its asset inventory, e.g., mobile phone and tablet.

IoT devices
– Organisations should include IoT devices used within the organisation
as part of its asset inventory, e.g., Closed Circuit Television (CCTV), smart
printer, smart television.

A.2.4 (c) The inventory list should contain details of the hardware assets where B.8.2 Practitioner
available as follows:

– Hardware name/model;
– Asset tag /serial number;
– Asset type;
– Asset location;
– Network address;
– Asset owner;
– Asset classification;
– Department;
– Approval/authorised date; and
– End of Support (EOS) date

A.2.4 (d) Software assets within the scope of certification may include software B.8.1 Supporter
applications used by the organisation. If the scope of certification includes a
cloud environment:

Cloud
– Organisation shall include what is hosted on the cloud instances, e.g.,
software and Operating System (OS).

Date: 04/24/2024 CONFIDENTIAL Page 61 of 74

Cyber Trust mark — Self-assessment questionnaire

Cyber Essential Cyber Trust Cyber Trust Implementation

Clause Clause Description Clause Preparedness Tier status Remarks

A.2.4 (e) The inventory list should contain the details of the software assets where B.8.2 Practitioner
available, as follows:

– Software name;
– Software publisher;
– Software version;
– Business purpose;
– Asset classification;
– Approval/authorised date; and
– EOS date.

A.2.4 (f) As good practice, the hardware and software asset inventory list should be B.8.2 Practitioner
reviewed at least bi-annually (twice per year).
A.2.4 (g) Hardware and software assets that are unauthorised or have reached their B.8.1 Supporter
respective EOS shall be replaced.
A.2.4 (h) In the event of any continued use of EOS assets, the organisation shall B.8.1 Supporter
assess and understand the risk, obtain approval from senior management,
and monitor it until the asset is replaced.

A.2.4 (i) An authorisation process shall be developed to onboard new hardware and B.8.1 Supporter
software into the organisation. Organisations may meet this requirement in
different ways, e.g., email approval from senior management, ensuring that
new hardware and software come from official or trusted sources,
performing malware scans to verify that the asset is clean and maintaining
asset whitelisting/blacklisting.

A.2.4 (j) The date of authorisation of software and hardware shall be keyed into the B.8.1 Supporter
asset inventory list after obtaining the relevant dispensation, e.g., obtaining
email approval or through the use of an approval form.

A.2.4 (k) Software and hardware without approval dates shall be removed. B.8.1 Supporter
A.2.4 (l) Before disposing of any hardware asset, the organisation shall ensure that B.8.1 Supporter
all confidential information have been deleted, e.g., encrypting hard disk
before reformatting and overwriting it.

A.2.4 (m) The organisation should carry out steps to ensure that the assets are B.8.2 Practitioner
disposed of securely and completely, e.g., destroy the hard disks physically
or engage disk shredding services.

A.3 Assets: Data – Know what data the organisation has, where they are, and secure the data
A.3.4 (a) The organisation shall identify and maintain an inventory of business-critical B.9.1 Supporter
data in the organisation. Organisations may meet this requirement in
different ways, e.g., using spreadsheet or asset inventory software. The
inventory list shall contain details of the data as follows:

– Description;
– Data classification and/or sensitivity;
– Location; and
– Retention period.

A.3.4 (b) Review of the inventory list should be carried out at least annually, or B.9.4 Practitioner
whenever there is any change to the data captured by the organisation.

A.3.4 (c) The organisation shall establish a process to protect its business-critical B.9.1 Supporter
data, e.g., password protected documents, encryption of personal data (at
rest) and/or emails.

A.3.4 (d) There shall also be measures in place to prevent the employees from B.9.1 Supporter
leaking confidential and/or sensitive data outside of the organisation, e.g.,
disabling USB ports.

A.3.4 (e) Before disposing of any paper-based (hard copy) media, the organisation B.9.1 Supporter
shall carry out steps to ensure that those containing confidential and/or
sensitive data have been securely shredded.

A.4 Secure/Protect: Virus and malware protection – Protect from malicious software like viruses and malware
A.4.4 (a) Anti-malware solutions shall be used and installed in endpoints to detect B.13.1 Supporter
attacks on the organisation’s environment. Examples of endpoints include
laptop computers, desktop computers, servers and virtual environments.

A.4.4 (b) Virus and malware scans shall be carried out to detect possible B.13.1 Supporter
cyberattacks. Where feasible, scans should always be automated and
remain active to provide constant protection.

A.4.4 (c) Organisations shall enable auto-updates or configure the anti-malware B.13.1 Supporter
solution to update signature files or equivalent (e.g., non-signature based
machine learning solutions) to detect new malware. Where possible, these
updates should take place at least daily to stay protected from the latest
malware.

A.4.4 (d) Anti-malware solution shall be configured to automatically scan the files B.13.1 Supporter
upon access. This includes files and attachments downloaded from the
Internet through the web browser or email and external sources such as
from portable USB drives.

Date: 04/24/2024 CONFIDENTIAL Page 62 of 74

Cyber Trust mark — Self-assessment questionnaire

Cyber Essential Cyber Trust Cyber Trust Implementation

Clause Clause Description Clause Preparedness Tier status Remarks

A.4.4 (e) If the scope of certification includes mobile devices, IoT devices, cloud B.13.2 Practitioner
environment or use of web browser/email:

Mobile devices
– Anti-malware solution should be installed and running on mobile
devices.

IoT devices
– Anti-malware solution should be integrated with the IoT devices, e.g.,
CCTV, smart television, smart printers, digital door lock.

Cloud
– Anti-malware solution should be deployed on the cloud platform.
Web browser/email
– Only fully supported web browsers and email client software with
security controls should be used.
– Anti-phishing and spam filtering tools should be established for the
web browser/email client software.
– Web browsers and/or email plug-ins/extensions/add-ons that are not
necessary should be disabled and/or removed.
– Web filtering should be deployed to protect the business from
malicious sites, where feasible.

A.4.4 (f) Firewalls shall be deployed or switched on to protect the network, systems, B.13.1 Supporter
and endpoints such as laptops, desktops, servers, and virtual environments.
In an environment where there is an organisation’s network setup, a
network perimeter firewall shall be configured to analyse and accept only
authorised network traffic into the organisation’s network. Examples can
include packet filter, Domain Name System (DNS) firewall and application-
level gateway firewall with rules to restrict and filter network traffic.
Depending on the organisation’s network setup, the firewall functionality
may be integrated with other networking devices or be a standalone device.

A.4.4 (g) In an environment where there are endpoints connecting to the Internet B.13.2 Practitioner
and/or cloud-based applications, a software firewall (host-based firewall)
should be configured and switched on for all the endpoints in the
organisation where available, e.g., turning on the built-in software firewall
feature included in most operating systems or anti-malware solutions.

A.4.4 (h) As good practice, firewall configurations and rules should ideally be B.13.2 Practitioner
reviewed and verified annually to protect the organisation’s Internet-facing
assets where applicable.

A.4.4 (i) If the scope of certification includes mobile and/or IoT devices: B.13.2 Practitioner

Mobile devices
– It is recommended that firewalls should be installed and enabled on
employees’ mobile devices.

IoT devices
– It is recommended that firewalls should be configured and enabled on
IoT devices where possible.

A.4.4 (j) The organisation shall ensure that its employees install/access only B.13.1 Supporter
authorised software/attachments within the organisation from official or
trusted sources.

A.4.4 (k) The organisation shall ensure that employees are aware of the use of B.13.1 Supporter
trusted network connections for accessing the organisation’s data or
business email, e.g., mobile hotspot, personal Wi-Fi, corporate Wi-Fi and
Virtual Private Network (VPN).

A.4.4 (l) The organisation shall ensure that its employees are aware of the need to B.13.1 Supporter
report any suspicious email or attachment to the IT team and/or senior
management immediately.

A.5 Secure/Protect: Access control – Control access to the organisation’s data and services
A.5.4 (a) Account management shall be established to maintain and manage the B.15.1 Supporter
inventory of accounts. The organisation may meet this in different ways,
e.g., using of spreadsheets or exporting the list from software directory
services.

A.5.4 (b) The account inventory list shall contain details for user, administrator, third- B.15.1 Supporter
party, and service accounts not limited to the following:

– Name;
– Username;
– Department;
– Role/account type;
– Date of access created; and
– Last logon date.

Date: 04/24/2024 CONFIDENTIAL Page 63 of 74

Cyber Trust mark — Self-assessment questionnaire

Cyber Essential Cyber Trust Cyber Trust Implementation

Clause Clause Description Clause Preparedness Tier status Remarks

A.5.4 (c) The organisation shall have a process with the necessary approvals to grant B.15.1 Supporter
and revoke access. The organisation may implement this in different ways,
e.g., email approval or access request form. This shall be implemented
when there are personnel changes such as onboarding of new staff or
change of role(s) for employees. The following fields shall be captured as
follows:

– Name;
– System to access;
– Department;
– Role/account type;
– From date; and
– To date.

A.5.4 (d) Access shall be managed to ensure employees can access only the B.15.1 Supporter
information and systems required for their job role.
A.5.4 (e) Accounts with access rights that are no longer required or have exceeded B.15.1 Supporter
the requested date shall have their access disabled or removed from the
system. Shared, duplicate, obsolete and invalid accounts shall be removed.

A.5.4 (f) The administrator account shall only be accessed to perform administrator B.15.1 Supporter
functions with approval from the senior management.
A.5.4 (g) Access shall be managed to ensure that third parties or contractors can B.15.1 Supporter
access only the information and systems required for their job role. Such
access shall be removed once they no longer require them.

A.5.4 (h) Third parties or contractors working with sensitive information in the B.15.1 Supporter
organisation shall sign a non-disclosure agreement form. The form should
include disciplinary action(s) for failure to abide by the agreement.

A.5.4 (i) Physical access control shall be enforced to allow only authorised B.15.1 Supporter
employees/contractors to access the organisation’s IT assets and/or
environment, e.g., use of cable lock to lock the workstations and card access
door lock to authenticate and authorise entry.

A.5.4 (j) As good practice, account reviews should be carried out at least quarterly or B.15.2 Practitioner
whenever there are changes to the account list, e.g., during onboarding and
offboarding processes or organisation restructuring.

A.5.4 (k) Dormant or inactive accounts which have been inactive for a prolonged B.15.2 Practitioner
period, e.g., sixty (60) days should be removed or disabled.
A.5.4 (l) The organisation shall change all default passwords and replace them with a B.15.1 Supporter
strong passphrase, e.g., it should be at least twelve (12) characters long and
include upper case, lower case, and/or special characters.

A.5.4 (m) User accounts shall be disabled and/or locked out after multiple failed login B.15.1 Supporter
attempts, e.g., after ten (10) failed login attempts, ’throttling’ the rate of
attempts .

A.5.4 (n) The account password shall be changed in the event of any suspected B.15.1 Supporter
compromise.
A.5.4 (o) Where feasible, two-factor authentication (2FA) should be used for B.15.2 Practitioner
administrative access to important systems, such as an Internet- facing
system containing sensitive or business-critical data. Organisations may
implement this in different ways, e.g., use of an authenticator application
on the mobile or one-time password (OTP) token.

A.5.4 (p) Where feasible, trusted software to manage passphrases should be used to B.15.2 Practitioner
aide employee passphrase management.
A.6 Secure/Protect: Secure configuration – Use secure settings for the organisation’s hardware and software
A.6.4 (a) Security configurations shall be enforced for the assets including desktop B.12.1 Supporter
computers, servers and routers. Organisations may meet this requirement
in different ways, e.g., adopting industry recommendations and standards
such as Center for Internet Security (CIS) benchmarks on configuration
guidelines across multiple vendor products, running baseline security
analyser and/or using system configuration scripts.

A.6.4 (b) Weak or default configurations shall be avoided or updated before using B.12.1 Supporter
them, e.g., changing default password and performing deep scanning with
anti-malware solution instead of standard scan.

A.6.4 (c) Insecure configurations and weak protocols shall be replaced or upgraded B.12.1 Supporter
to address the associated vulnerabilities, e.g., using Hypertext Transfer
Protocol Secure (HTTPS) over normal Hypertext Transfer Protocol (HTTP) to
encrypt data communication and upgrading Wired Equivalent Privacy (WEP)
to Wi-Fi Protected Access 2/3 (WPA2/WPA3) to enhance the Wi-Fi security
standards.

A.6.4 (d) Features, services, or applications that are not in used shall be disabled or B.12.1 Supporter
removed, e.g., disabling file sharing services, software macros and File
Transfer Protocol (FTP) ports.

Date: 04/24/2024 CONFIDENTIAL Page 64 of 74

Cyber Trust mark — Self-assessment questionnaire

Cyber Essential Cyber Trust Cyber Trust Implementation

Clause Clause Description Clause Preparedness Tier status Remarks

A.6.4 (e) Automatic connection to open networks and auto-run feature of non- B.12.1 Supporter
essential programs (other than backup or anti-malware solution, etc.) shall
be disabled.

A.6.4 (f) Logging should also be enabled for software and hardware assets where B.12.2 Practitioner
feasible, e.g., system, events and security logs.
A.6.4 (g) As good practice, automatic lock/session log out should be enabled after B.12.2 Practitioner
fifteen (15) min of inactivity for the organisation’s assets. These include user
sessions on the laptop computer, server, non-mobile device, database, and
administrator portal.

A.6.4 (h) If the scope of certification includes mobile devices, IoT devices, and/or B.12.2 Practitioner
cloud environment:

Mobile devices – e.g., mobile phone, tablet

– Mobile devices should not be jail-broken or rooted.
– Mobile device passcodes should be enabled.
– Automatic mobile device locks should be activated after two (2) min of
inactivity.
– Mobile applications should only be downloaded from official or trusted
sources.
IoT devices
– Network hosting the IoT devices should be separated from the network
containing the organisation’s assets and data.
– Security features should be enabled on IoT devices, e.g., turning off
device auto-discovery and Universal Plug and Play (UPnP).
– In selecting IoT devices, the organisation should use devices rated by
the Cybersecurity Labelling Scheme (CLS) (where available).

Cloud
– Security logging and monitoring should be turned on for cloud
visibility, e.g., history of Application Programming Interface (API) calls,
change tracking and compliance.

A.7 Update: Software updates – Update software on devices and systems

A.7.4 (a) The organisation shall prioritise the implementation of critical or important B.12.1 Supporter
updates for operating systems and applications (e.g., security patches) to be
applied as soon as possible.

A.7.4 (b) The organisation should carry out compatibility tests on updates for B.12.2 Practitioner
operating system and applications before installing them.
A.7.4 (c) The organisation should consider enabling automatic updates for critical B.12.2 Practitioner
operating system and application patches where feasible so that they can
receive the latest updates.

A.7.4 (d) If the scope of certification includes mobile devices, IoT devices, and/or B.12.2 Practitioner
cloud environment:

Mobile devices – e.g., mobile phone, tablet

– The organisation should ensure that updates and patches for mobile
devices are only downloaded from trusted sources (e.g., official app store
from the manufacturer).

IoT devices
– The organisation should remove or replace any IoT devices (e.g., CCTV,
printers) that are not receiving any software patches or updates.

Cloud
– The organisation should refer to the cloud shared responsibility model
with its Cloud Service Provider (CSP). This will allow organisations to be
aware of when the organisation is responsible for software updates and
security patches, and when the CSP is responsible.
– The organisation should have visibility on the software updates and
security patches done by its CSPs.
– The organisation should also have security requirements regarding
software updates defined for its CSPs.

A.8 Backup: Back up essential data – Back up the organisation’s essential data and store them offline
A.8.4 (a) The organisation shall identify business-critical systems and those B.10.1 Supporter
containing essential business information and perform backup. What needs
to be backed up is guided by identifying what is needed for business
recovery in the event of a cybersecurity incident. Examples of business-
critical systems include stock-trading system, railway operating and control
system. Examples of essential business information include financial data
and business transactions.

Date: 04/24/2024 CONFIDENTIAL Page 65 of 74

Cyber Trust mark — Self-assessment questionnaire

Cyber Essential Cyber Trust Cyber Trust Implementation

Clause Clause Description Clause Preparedness Tier status Remarks

A.8.4 (b) The backups shall be performed on a regular basis, with the backup B.10.1 Supporter
frequency aligned to the business requirements and how many days’ worth
of data the organisation can afford to lose.

A.8.4 (c) For non-business-critical systems or non-essential information, the backups B.10.2 Practitioner
should still be performed but at/on a lower frequency/long term basis.

A.8.4 (d) The backup process should be automated where feasible. B.10.2 Practitioner
A.8.4 (e) If the scope of certification includes cloud environment: B.10.1 Supporter

Cloud
– The organisation shall understand the role and responsibility between
itself and the CSP in terms of data backup, e.g., cloud shared responsibility
model, scope, and coverage of the cloud service.
– Data backup shall be carried out by the organisation, e.g., storing the
backups in a hard disk drive, purchasing the backup services by the CSP, and
adopting multiple clouds to be used as backups.

A.8.4 (f) If the scope of certification includes hardware assets such as mobile devices B.10.2 Practitioner
and/or IoT devices:

Mobile devices
– Essential business information stored in mobile phones should be auto
backed up and transferred to a secondary mobile phone or secondary
storage for backup, e.g., SMS conversations or contact of an important
client.
IoT devices
– IoT devices containing the organisation’s essential information should
be backed up manually where automatic backup is not available, e.g.,
sensors in farms to improve operational safety and efficiency and in
healthcare to monitor patients with greater precision to provide timely
treatment.

A.8.4 (g) All backups shall be protected from unauthorised access and be restricted B.10.1 Supporter
to authorised personnel only. Backups should minimally be password-
protected.

A.8.4 (h) Backups shall be stored separately (i.e., offline) from the operating B.10.1 Supporter
environment. Where feasible, backups should be stored offsite, e.g.,
separate physical location.

A.8.4 (i) Frequent backups such as daily or weekly backups should be stored online B.10.2 Practitioner
to facilitate quick recovery, e.g., cloud backup storage.
A.8.4 (j) Longer term backups such as monthly backups shall be stored offline in an B.10.1 Supporter
external secure storage location, e.g., password-protected USB flash drives,
encrypted external hard disks and/or tape storage at an alternative office
location.

A.8.4 (k) As good practice, backups should be tested at least bi-annually, or more B.10.2 Practitioner
frequently, to ensure that business-critical systems and essential business
information can be restored effectively.

A.9 Respond: Incident response – Be ready to detect, respond to, and recover from cybersecurity incidents
A.9.4 (a) The organisation shall establish an up-to-date basic incident response plan B.21.1 Supporter
to guide the organisation on how to respond to common cybersecurity
incidents. Examples include phishing, data breach, ransomware. The plan
shall contain details as follows:

– Clear roles and responsibilities of key personnel in the organisation

involved in the incident response plan process.
– Procedures to detect, respond, and recover from the common
cybersecurity threat scenarios, e.g., phishing, ransomware, data breach.
– Communication plan and timeline to escalate and report the incident
to internal and external stakeholders (such as regulators, customers, and
senior management).

A.9.4 (b) The incident response plan shall be made aware to all employees in the B.21.1 Supporter
organisation that have access to the organisation’s IT assets and/or
environment.

A.9.4 (c) The organisation should conduct post- incident review and incorporate B.21.2 Practitioner
learning points to strengthen and improve the incident response plan.

A.9.4 (d) As good practice, the incident response plan should be reviewed at least B.21.2 Practitioner
annually.

Date: 04/24/2024 CONFIDENTIAL Page 66 of 74

Cyber Trust mark — Self-assessment questionnaire

4. Risk Assessment Results

These are the results of your risk assessment:

Inherent vs Residual Risk Assessment Results – Summary

total risks Inherent Risk Heat Map risk types (inherent) total low med med high high critical
critical highly likely 1. Data Breach 5
¾ Likelihood ®

high likely 2. Human Factor 5

medium high possible 3. Infrastructure 5
medium unlikely 4. Physical Security 4
low rare 5. Regulatory and Compliance 3
minor moderate significant serious major 6. Supply Chain 3
¾¾¾¾¾¾¾¾ Impact ¾¾¾¾¾¾¾® 25 0 0 0 0

total risks Residual Risk Heat map risk types (residual) total low med med high high critical
critical highly likely 1. Data Breach 5
¾ Likelihood ®

high likely 2. Human Factor 5

medium high possible 3. Infrastructure 5
medium unlikely 4. Physical Security 4
low rare 5. Regulatory and Compliance 3
minor moderate significant serious major 6. Supply Chain 3
¾¾¾¾¾¾¾¾ Impact ¾¾¾¾¾¾¾® 25

Risk Decision after Treatment Plan risk types (risk decision) total avoid mitigate transfer accept
25
1. Data Breach 5
2. Human Factor 5
3. Infrastructure 5
4. Physical Security 4
5. Regulatory and Compliance 3
6. Supply Chain 3
0 25
avoid mitigate transfer accept

Date: 04/24/2024 CONFIDENTIAL Page 67 of 74

Cyber Trust mark — Self-assessment questionnaire

5. Cybersecurity Preparedness Assessment Results

These are the results of your cybersecurity preparedness assessment:

Cybersecurity Preparedness Assessment Results

Measures
Cybersecurity — Implemented
Measures — Implemented Measures
Cybersecurity — Implemented
Measures — Not Implemented Cybersecurity Measures
Measures — Not Applicable
— Implemented

Supporter Practitioner Promoter Performer Advocate Supporter Practitioner Promoter Performer Advocate Supporter Practitioner Promoter Performer Advocate

total Cumulative results from your organisation's cybersecurity preparedness responses

(cumulativ implemented not implemented not applicable implemented not implemented not applicable status remarks
1. Supporter e)
13 0 0 0 0.00% 0.00% 0.00% -
2. Practitioner 38 0 0 0 0.00% 0.00% 0.00% -
3. Promoter 72 0 0 0 0.00% 0.00% 0.00% -
4. Performer 125 0 0 0 0.00% 0.00% 0.00% -
5. Advocate 190 0 0 0 0.00% 0.00% 0.00% -

You have not completed the self-assessment questionnaire. Do fill up the self-assessment questionnaire to find out if your organisation is ready for Cyber Trust certification.

Date: 04/24/2024 CONFIDENTIAL Page 68 of 74

Cyber Trust mark — Self-assessment questionnaire

Cybersecurity Preparedness Assessment Results — Breakdown by Cyber Trust Domains

Supporter Practitioner Promoter Performer Advocate

Cyber Trust Domains total no yes na total no yes na total no yes na total no yes na total no yes na
B.1 Domain: Governance 1 3 2
B.2 Domain: Policies and procedures 1 3 3
B.3 Domain: Risk management 2 2 2 3 3
B.4 Domain: Cyber strategy 5
B.5 Domain: Compliance 1 1 2 2 3
B.6 Domain: Audit 3 2
B.7 Domain: Training and awareness 1 2 2 3 3
B.8 Domain: Asset management 1 1 3 2 3
B.9 Domain: Data protection and privacy 3 1 3 3 3
B.10 Domain: Backups 1 2 2 2 3
B.11 Domain: Bring Your Own Device (BYOD) 1 3
B.12 Domain: System security 1 2 3 4 3
B.13 Domain: Anti-virus/Anti-malware 1 4 1 1 3
B.14 Domain: Secure software development Life-cycle (SDLC) 4
B.15 Domain: Access control 1 2 3 3 2
B.16 Domain: Cyber threat management 5 3
B.17 Domain: Third-party risk and oversight 5
B.18 Domain: Vulnerability assessment 2 3 4
B.19 Domain: Physical/environmental security 3 3 3 2
B.20 Domain: Network security 3 2 3 2
B.21 Domain: Incident response 1 1 2 2 2
B.22 Domain: Business continuity/Disaster recovery 1 2 4 2
13 0 0 0 25 0 0 0 34 0 0 0 53 0 0 0 65 0 0 0
* Note: yes = cybersecurity mesaures implemented; no = cybersecurity mesaures not implemented; na = cybersecurity mesaures not applicable

Date: 04/24/2024 CONFIDENTIAL Page 69 of 74

Cyber Trust mark — Self-assessment questionnaire

6. Declaration

• We, the Applicant, declare that the facts stated in this application and the accompanying information are true and correct to the best of our knowledge and that we have not withheld
/distorted any material facts. We understand that we have a continuing obligation to promptly notify our appointed certification body if there is any change affecting the information set out
in this application and declaration.

• We understand that our appointed certification body may take the relevant action if we provide false or misleading statements or fail to disclose material facts, and the certification body
may, at its discretion, withdraw the certification issued or take other follow-on action.

Yes, we/I agree

Signature Date

Name (in BLOCK LETTERS) Designation

[for and on behalf of <<Organisation>>]

Organisation

Organisation Stamp

* Note: This declaration must be signed by a person authorised to sign on behalf of the organisation.

Date: 04/24/2024 CONFIDENTIAL Page 70 of 74

Cyber Trust mark — Self-assessment questionnaire

Annex: Risk Assessment Terminologies and Definitions

Table 2 – Assessment of the likelihood of risk scenario occurring

Indicative Probability
Likelihood Likelihood score Description (of occurrence in a
year)
Highly likely 5 The event may potentially occur in all circumstances ≥61%
Likely 4 The event may occur in most circumstances ≥41% – 60%
Possible 3 The event should occur at some time ≥21% – 40%
Unlikely 2 The event could occur at some time ≥5% – 20%
Rare 1 The event may occur only in exceptional cases <5%

Table 3 – Assessment of the impact of risk scenario occurring

Brand value and
Regulatory Compliance Reputation
Impact Impact Score Strategic Financial Operational (if applicable)

Major 5 Failure to meet key Total financial failure, Complete breakdown in Large scale action, Adverse publicity in
strategic objective; with inability to support service delivery with material breach of local/international
organisational viability organisation’s severe, prolonged legislation with very media
threatened; major operations. impact on business significant financial or Long term reduction in
financial overrun. operations affecting the reputational public confidence.
whole organisation. consequences.

Serious 4 Serious impact on Disastrous impact on Significant impact on Regulatory breach with Adverse publicity in
strategy, major the financial exposure of the business operations material consequences local/international
reputational sensitivity. the organisation, with and/or quality of which cannot be readily media.
long term damage service. rectified. Short term reduction in
incurred. public confidence.

Date: 04/24/2024 CONFIDENTIAL Page 71 of 74

Cyber Trust mark — Self-assessment questionnaire

Significant 3 Significant impact on Significant impact on Large impact on the Regulatory breach with Criticism of an
strategy, moderate the financial exposure. customer experience material consequences important
reputational sensitivity. and/or quality of but which can be readily process/service.
service. rectified. Elements of public
expectations not met.

Moderate 2 Moderate impact on Noticeable impact on Moderate impact on the Regulatory breach with Tarnish organisation’s
strategy, minor the financial exposure. business operations minimal consequences image with a specific
reputational sensitivity. and/or quality of but which cannot be group.
service. readily rectified. Elements of public
expectations not met.

Minor 1 Minor impact on Negligible impact on the Negligible impact on Regulatory breach with Isolated case of damage
strategy, minimal financial exposure. business operations minimal consequences to reputation.
reputational sensitivity. and/or quality of and readily rectified. Potential for public
service. concern/unlikely to
warrant media
converge.

Table 4 – Risk levels

Risk Measure Risk Level Risk Action Description

Immediate risk treatment is required, and risk shall not be accepted. Risk
treatment strategies shall be implemented immediately as the magnitude
17 – 25 Critical Immediate action to of impact can affect the survivability of the organisation or leave long term
reduce the risk damage to reputation and finances. The board and senior management
shall be notified and updated frequently on the progress of the risk
treatment.

Immediate risk treatment is necessary, and risk shall not be accepted. Risk
treatment strategies shall be implemented as the magnitude of the impact
13 – 16 High Action taken to reduce may immediately disrupt business operations or services provided to
the risk customers, leading to financial losses. The senior management shall be
notified and updated frequently on the progress of the risk treatment.

Date: 04/24/2024 CONFIDENTIAL Page 72 of 74

Cyber Trust mark — Self-assessment questionnaire

Risk treatment is preferred, and risk should not be accepted. Risk

treatment strategies should be implemented as the magnitude of impact
10 – 12 Medium High Gradual action taken to can affect the organisation’s long-term operations. The senior
reduce the risk management shall be informed about the risk and updated periodically if
the risk level increases.

Risk treatment is encouraged with the implementation of controls within

5–9 Medium Manage risk the time period specified by the organisation. The organisation may want
to monitor the risks regularly to detect any changes if any.

Risk can be accepted as it falls within the organisation’s risk appetite.

1–4 Low Monitor/Accept Mitigating or compensating controls are already implemented to address
the identified risk. Ongoing monitoring can be used to detect any changes
in the risk level.

Figure 4 – Risk heat map

¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾ Impact ¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾®
Minor (1) Moderate (2) Significant (3) Serious (4) Major (5)
¾¾¾ Likelihood ¾¾®

Highly likely (5) Medium (5) Medium high (10) High (15) Critical (20) Critical (25)

Likely (4) Low (4) Medium (8) Medium high (12) High (16) Critical (20)

Possible (3) Low (3) Medium (6) Medium (9) Medium high (12) High (15)

Unlikely (2) Low (2) Low (4) Medium (6) Medium (8) Medium high (10)

Rare (1) Low (1) Low (2) Low (3) Low (4) Medium (5)

Table 5 – Risk decisions

Risk Option Description

Accept Knowingly and objectively accepting risks, provided that they clearly satisfy the organisation’s policy and the criteria for risk
acceptance; and in view of the cost effectiveness and business efficiency.

Date: 04/24/2024 CONFIDENTIAL Page 73 of 74

Cyber Trust mark — Self-assessment questionnaire

Mitigate Applying appropriate controls to reduce the risk likelihood or risk impact or both.

Avoid Removing and eliminating the risk by removing the origin of the risk in its entirety. This treatment is not often applied unless
terminating the activity which results in the risk arising does not materially affect an organisation.
Implementing a strategy that transfers the risk to another party or parties, such as outsourcing the management of a service,
Transfer developing contracts with service providers or insuring against the risk. The third-party accepting the risk shall be aware of
and agree to accept this obligation, reducing the impact component of risk faced by the organisation.

Date: 04/24/2024 CONFIDENTIAL Page 74 of 74