An overview of the Initial Assessment (IA) process
The Initial Assessment, commonly referred to as the “IA”, is the first assessment conducted against an entity’s Cyber Security Questionnaire (CSQ).
It is the first step in assessing an applicant’s cyber security hygiene and determines if an entity needs to undergo uplift activities.
1. Cyber Security Questionnaire (CSQ) Initial Review
Before being assessed, every Cyber Security Questionnaire (CSQ) must be subject to an initial review.
This review is simply to check for completeness and to turn back any unacceptable submissions.
1.1 – Certification Check
Applicants may claim certification, and a requirement of the initial review is to confirm that any such certification is validated.
1.2 – Requesting Additional Information
Where insufficient information is provided, an assessor may request additional information.
2. The Initial Assessment (IA)
Once an initial review has been completed, and the assessor is satisfied that enough information is given, the Initial Assessment (IA) may be completed.
The Initial Assessment will have an overall Cyber Security Hygiene Rating, which is one of the following:
- Ad-Hoc
- Developing
- Managing
- Embedded
3. The Quality Assurance Check
Every Initial Assessment (IA) is subject to a Quality Assurance (QA) check.
The QA check is carried out to ensure that the IA is technically accurate, error-free and complete.
4. Initial Assessment Outcomes
The overall rating of an Initial Assessment (IA) will determine if the applicant requires cyber security uplift.
- Ad-Hoc & Developing = Requires Uplift
- Managing & Embedded = Assessment Completed
The completed assessment is sent to the Processing Officer (PO) and the entity in all cases.