Course Content
Understanding the Defence Industry Security Programming (DISP)
This topic explains the Defence Industry Security Program (DISP). Explains what DISP does for the industry and which entities may apply for DISP membership.
0/4
What is the Defence Industry Security Program?
00:41
What does the Defence Industry Security Program do?
00:52
Entities that may apply for Defence Industry Security Program membership.
01:12
Defence Industry Security Program Knowledge Check
Our role within the Defence Industry Security Program
During this topic, you will be taught about our role within the Defence Industry Security Program, focusing on our process.
0/5
Our role within the Defence Industry Security Program
01:33
Understanding Initial Assessment (IA) Process
01:53
Understanding the Uplift Process
02:08
Understanding the Ongoing Suitability Assessment (OSA) Program
00:23
Our Role, Responsibilities and Processes Knowledge Check
Conduct An Initial Review of a Cyber Security Questionnaire (CSQ)
During this topic you will be taught about the Cyber Security Questionnaire, and how to conduct an initial review of a submitted questionnaire.
0/4
Understanding the Cyber Security Questionnaire (CSQ)
09:07
Conduct A Cyber Security Questionnaire (CSQ) Initial Review
02:51
Conduct An Initial Review Knowledge Check
Conduct An Initial Review Assignment
Conduct An Initial Assessment (IA) of a Cyber Security Questionnaire (CSQ)
During this topic you will be taught how to carry out an Initial Assessment (IA) of a Cyber Security Questionnaire (CSQ).
0/8
High-level Overview of an Initial Assessment
02:02
Application Control
01:22
Patching Application
01:28
Patching of Operating Systems
01:29
Restriction of Administrative Privileges
01:07
Initial Assessment Knowledge Check
Conduct an Initial Assessment (Client One)
Conduct an Initial Assessment (Client Two)
Conduct A Quality Assurance (QA) Check of an Initial Assessment (IA)
During this topic you'll be taught how to carry out a Quality Assurance (QA) Check of an Initial Assessment (IA).
0/6
Quality Assurance Overview
00:18
Common Faults
00:24
Key Technical Assessment Faults
00:21
QA Knowledge Check
Conduct a Quality Assessment (Client One)
Conduct a Quality Assessment (Client Two)
Conducting the Uplift Process
0/5
Uplift Program Overview
00:11
Requesting an Action Plan
01:41
Requesting Resubmission or Additional Information
01:06
Action Plan Acceptance
00:52
Uplift Letter Returned
00:46
Entry Level Assessors Course
Please login for access. Login
About Lesson

Cyber Security Questionnaire (CSQ) Initial Review

Before being assessed, every Cyber Security Questionnaire (CSQ) must be subject to an initial review.

During the initial review, the assessor must check that:

  • The CSQ is complete.
  • The CSQ lists the correct entity name and points of contact.
  • An authorised representative signs the CSQ.
  • The entity used the correct version of the CSQ.
  • Sufficient information is supplied for an assessment.

In some limited circumstances, a CSQ can be rejected by the assessor. Some examples are:

  • Lack of signature/authorisation.
  • Failure to complete the questionnaire (entire sections blank).
  • Submission predicated on Defence systems.

In all cases, assessors should clear a rejection with the team leader or operations manager.

Use of Certifications

Any applicant that claims to hold certification must supply evidence of that certification. 

The most common certification claimed is the ISO27001:2013 certificate.

Assessors may request the following documents when certification is claimed:

  • Mandatory: A current copy of the certification certificate.
  • The scope of the certification.
  • A copy of the latest certification report.

You must conduct a validation check of the certificate to ensure that it is current, valid and issued by an authorised authority.

Requesting Additional Information

An assessor may, at any time, request additional information from an applicant entity. Typically this action is taken when an entity does not provide comments or provides comments that lack substance in their CSQ.

For example, an entity’s response to the Application Control comments field may be as short as “we have application control”. This response does not provide enough detail about how the control is met, and a request for information would be practical.

Assessors should identify all information shortfalls in the first instance to avoid sending multiple requests for information. 

Most common faults that the team have come across with the cyber security questionnaire (CSQ). 

– Lack of system detail information  

– No comments explaining the implementation of assessed controls 

– Use of blanket statements (e.g. “we use M365”) without technical clarification 

– No Signature 

– Claims of certification without proving documented evidence. 

– Webmail solutions being used to correspond with Defence  

– Filling in the CSQ with Responses that pertain to the use of Defence systems. E.g. DREAMs 

Join the conversation
Previous
Next