CQUEST questionnaire completion guidance

time to read: 13 min

Table of Contents

The CQUEST questionnaire has 50 questions, and as with our other article on filling out security questionnaires, answering these is not about following a template but about impressing the reader with the quality of your security controls. 

We have listed all 50 questions below and tried to provide you with guidance on how to answer them, but: 

You will be much better off if you sit down with a cybersecurity expert to guide you in building your company’s security controls. The questionnaire exists as guidance on which controls to build. It may take a couple of months to implement them, but if you do, your company will be secure. 

  1. Does a formally documented cyber security strategy exist and who is it approved by within the organisation?

    Technical Guidance: Ensure you have a comprehensive cybersecurity strategy document that outlines your institution’s security goals, objectives, and plans to mitigate risks. This document should be approved by the board of directors or a senior executive, such as the Chief Information Security Officer (CISO). Include details on how the strategy aligns with regulatory requirements and industry best practices.

    Describe the approval process within your organization. Typically, this involves initial drafting by the IT or cybersecurity team, review by senior management, and final approval by the board. Highlight any regular review cycles and updates to the strategy to address evolving threats.

  2. Does a formally documented framework (including policies, standards, and delivery programme) exist to maintain your security posture and to deliver the cyber security strategy?

    Technical Guidance: Document a cybersecurity framework that encompasses all policies, standards, and procedures to implement and maintain your cybersecurity posture. This should include standards for risk assessment, incident response, data protection, and continuous monitoring.

    Explain how this framework integrates with your cybersecurity strategy. Provide examples of key policies such as acceptable use policies, data encryption standards, and incident response procedures. Mention any compliance with recognized frameworks like NIST, ISO 27001, or CIS Controls.

  3. Has a senior executive been appointed who is accountable for the oversight and delivery of cyber security within the organisation?

    Technical Guidance: Appoint a senior executive, typically a Chief Information Security Officer (CISO), who is responsible for the overall cybersecurity program. This role should have the authority and resources to enforce security policies and respond to incidents.

    Outline the CISO’s responsibilities, including risk management, incident response, and compliance with cybersecurity regulations. Ensure the CISO reports to the board or executive leadership regularly on cybersecurity matters and initiatives.

  4. What level of cyber security knowledge and skills exists at the senior executive level?

    Technical Guidance: Assess the cybersecurity knowledge and skills of senior executives. Provide training and awareness programs to keep them informed of the latest threats and regulatory requirements.

    Document the specific training programs and certifications senior executives have completed, such as CISSP or CISM. Highlight ongoing education efforts and participation in cybersecurity forums or workshops to maintain their knowledge.

  5. Are risks to cyber security managed effectively?

    Technical Guidance: Implement a risk management process that identifies, assesses, and mitigates cybersecurity risks. Use risk assessment tools and frameworks like NIST Risk Management Framework (RMF) or ISO 31000.

    Detail your risk management process, including how risks are identified, prioritized, and addressed. Provide examples of recent risk assessments and the steps taken to mitigate identified risks. Include any metrics or KPIs used to measure risk management effectiveness.

  6. To what extent are cyber and related skills held across the security, risk, and audit functions?

    Technical Guidance: Ensure your security, risk, and audit teams have the necessary cybersecurity skills and certifications. Offer continuous training and professional development opportunities.

    Describe the current skill set of these teams, including any relevant certifications like CISSP, CEH, or CISA. Outline training programs and initiatives to enhance their skills, such as participation in cybersecurity conferences or advanced courses.

  7. Has the effectiveness of cyber controls been independently assessed against the control objective?

    Technical Guidance: Conduct independent assessments of your cybersecurity controls through third-party audits or internal audit functions. Utilize frameworks such as SOC 2, ISO 27001, or NIST CSF for assessments.

    Provide details of recent assessments, including the scope, methodology, and outcomes. Mention any improvements made based on assessment findings and plans for regular future assessments.

  8. To what extent is management information (MI), including Key Risk Indicators (KRIs), used to inform decision makers on the residual risk levels against risk appetite for cyber defined risks?

    Technical Guidance: Develop and utilize management information systems that track Key Risk Indicators (KRIs) related to cybersecurity. Ensure this information is regularly reported to decision-makers to gauge risk levels and compliance with risk appetite.

    Explain the MI systems in place, the KRIs monitored, and how this data is used in decision-making processes. Provide examples of MI reports and how they have influenced risk management decisions.

  9. Are important business services understood?

    Technical Guidance: Identify and document all critical business services and their dependencies. Perform Business Impact Analyses (BIAs) to understand the potential impact of service disruptions.

    Detail the process of identifying critical services and the criteria used. Explain how BIAs are conducted and provide examples of critical services identified, along with their associated risks and mitigation plans.

  10. Is a current inventory of information assets with supporting systems maintained?

    Technical Guidance: Maintain a comprehensive inventory of all information assets and their supporting systems. Use asset management tools to track hardware, software, and data assets.

    Describe the tools and processes used for asset management, including any automated systems. Provide examples of inventory records and how they are kept up to date.

  11. To what extent have you identified and assessed the cyber risk within your important business services?

    Technical Guidance: Perform regular risk assessments on all critical business services to identify and evaluate cyber risks. Use frameworks such as NIST SP 800-30 for conducting risk assessments.

    Outline the assessment process, including how risks are identified, evaluated, and prioritized. Provide examples of risk assessment reports and mitigation actions taken for high-risk services.

  12. Do you understand who your outsourced providers and third parties are and the services they provide?

    Technical Guidance: Maintain a detailed register of all third-party providers and the services they offer. Conduct third-party risk assessments and ensure they comply with your security standards.

    Explain the process for onboarding and monitoring third parties, including due diligence and regular security reviews. Provide examples of third-party agreements and compliance checks.

  13. To what extent do you use intelligence to direct your cyber risk management?

    Technical Guidance: Integrate threat intelligence into your risk management processes. Use threat intelligence platforms (TIPs) to gather and analyze data from multiple sources.

    Detail the sources of threat intelligence used and how this information is applied to enhance risk management. Provide examples of threat intelligence reports and how they have influenced security measures.

  14. Are hardware and software vulnerabilities proactively identified and documented with their risk assessment?

    Technical Guidance: Implement a vulnerability management program to identify, assess, and remediate hardware and software vulnerabilities. Use tools like Nessus, Qualys, or OpenVAS for vulnerability scanning.

    Describe the vulnerability management lifecycle, including scanning, assessment, prioritization, and remediation. Provide examples of recent vulnerability reports and the steps taken to address identified vulnerabilities.

  15. Do you have an identity & access management (IAM) standard that covers how users should be verified, authenticated, and authorised?

    Technical Guidance: Develop and enforce an Identity and Access Management (IAM) standard. Ensure it includes policies for user verification, authentication, and authorization using tools like Okta or Microsoft Azure AD.

    Explain the IAM policies in place, including user provisioning, access controls, and authentication methods. Provide examples of IAM standards and how they are implemented across the organization.

  16. Does all remote access to the corporate network and business applications require strong authentication?

    Technical Guidance: Ensure all remote access to corporate networks and applications is protected with strong authentication methods such as multi-factor authentication (MFA). Use solutions like Duo Security or Google Authenticator.

    Detail the remote access policies and technologies used to enforce strong authentication. Provide examples of how MFA is implemented and monitored for compliance.

  17. How is user access to data via systems reviewed?

    Technical Guidance: Implement regular access reviews to ensure users have appropriate access to data and systems. Use IAM tools to automate and streamline the review process.

    Describe the access review process, including frequency, scope, and tools used. Provide examples of access review reports and actions taken to address any discrepancies.

  18. Are privileged rights understood, documented and reviewed in terms of assignment to system and user accounts?

    Technical Guidance: Document and regularly review privileged access rights. Use Privileged Access Management (PAM) solutions like CyberArk or BeyondTrust to manage and monitor privileged accounts.

    Explain the process for assigning and reviewing privileged rights, including tools and procedures. Provide examples of privileged access reviews and any actions taken to mitigate risks.

  19. To what extent do you know and have trust in the devices that access your networks, information assets, and data?

    Technical Guidance: Implement device management solutions to ensure only trusted devices can access your networks and data. Use Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) solutions.

    Describe the device management policies and tools in place, including how devices are authenticated and monitored. Provide examples of device trust verification and compliance checks.

  20. Are appropriate controls in place to classify information in terms of criticality and sensitivity?

    Technical Guidance: Establish information classification policies that categorize data based on criticality and sensitivity. Use Data Loss Prevention (DLP) tools to enforce classification and protection.

    Explain the information classification framework, including categories, criteria, and controls. Provide examples of classified data and the corresponding security measures.

  21. Are appropriate tools and processes in place to detect and prevent sensitive data from leaving the corporate network?

    Technical Guidance: Deploy Data Loss Prevention (DLP) solutions to monitor and control the movement of sensitive data. Use encryption and access controls to prevent unauthorized data exfiltration.

    Detail the DLP tools and processes in place, such as Symantec DLP or Microsoft Information Protection. Explain how these tools are configured to detect and block unauthorized data transfers, and provide examples of policies for handling sensitive data.

  22. Do you have sufficient control and oversight of your supply chain?

    Technical Guidance: Implement a supply chain risk management program. Assess the cybersecurity posture of your suppliers and enforce security requirements through contracts.

    Describe your supply chain risk management process, including vendor assessments, security requirements, and continuous monitoring. Provide examples of how you manage third-party risks and ensure compliance with your security standards.

  23. Is cyber security incorporated in change management and design processes, as well as service and product development?

    Technical Guidance: Integrate cybersecurity into your change management and development processes. Use Secure Development Lifecycle (SDLC) methodologies and change management frameworks like ITIL.

    Explain how security is embedded in the SDLC, including threat modeling, secure coding practices, and security testing. Provide examples of change management processes that include security assessments and approvals.

  24. How do you ensure that information assets are appropriately and proportionately protected?

    Technical Guidance: Apply risk-based security controls to protect information assets. Use frameworks like NIST SP 800-53 or ISO 27001 to identify and implement appropriate controls.

    Detail your approach to protecting information assets, including risk assessments, control selection, and ongoing monitoring. Provide examples of controls implemented for high-risk assets and how their effectiveness is measured.

  25. Are baseline system security configuration standards and hardening procedures in place to facilitate consistent application of security requirements to operating systems, databases, applications, devices, etc.?

    Technical Guidance: Develop and enforce baseline security configuration standards and hardening procedures for all systems. Use tools like CIS Benchmarks or Microsoft’s Security Compliance Toolkit to standardize configurations.

    Describe your baseline security standards, including how they are developed, implemented, and monitored. Provide examples of hardening guides and how compliance is ensured across the organization.

  26. Do you employ multiple layers of security?

    Technical Guidance: Implement a defense-in-depth strategy that uses multiple layers of security controls. Ensure each layer addresses different aspects of security to provide comprehensive protection.

    Explain your multi-layered security approach, including perimeter defenses, network security, endpoint protection, and application security. Provide examples of security controls at each layer and how they work together to mitigate risks.

  27. To what extent do you proactively manage hardware and software vulnerabilities?

    Technical Guidance: Establish a proactive vulnerability management program. Use tools like Nessus, Qualys, or OpenVAS to conduct regular vulnerability scans and prioritize remediation efforts.

    Detail your vulnerability management process, including scanning frequency, risk assessment, and remediation timelines. Provide examples of recent vulnerability assessments and actions taken to address identified issues.

  28. How do you manage patches to ensure your network and information systems are protected from adverse impact?

    Technical Guidance: Implement a patch management program to ensure timely updates for all systems. Use automated tools like WSUS, SCCM, or Ivanti to manage and deploy patches.

    Describe your patch management process, including patch identification, testing, deployment, and validation. Provide examples of how critical patches are prioritized and the steps taken to minimize disruption during patching activities.

  29. Are end of life hardware and software assets identified and effectively managed prior to expiration?

    Technical Guidance: Maintain an inventory of hardware and software assets, including end-of-life (EOL) dates. Plan and execute the replacement or upgrade of EOL assets before they become a security risk.

    Explain how EOL assets are tracked and managed, including lifecycle management policies and procedures. Provide examples of recent asset replacements or upgrades and the steps taken to ensure continuity and security.

  30. Are staff provided with cyber security training?

    Technical Guidance: Develop a comprehensive cybersecurity training program for all staff. Include regular training sessions, phishing simulations, and awareness campaigns.

    Describe your training program, including content, frequency, and delivery methods. Provide examples of training materials and how effectiveness is measured, such as through quizzes, assessments, or incident response drills.

  31. How comprehensively do you monitor for the security status of your network and systems?

    Technical Guidance: Implement continuous monitoring tools and practices to maintain visibility over your network and systems. Use SIEM solutions like Splunk, ArcSight, or LogRhythm to aggregate and analyze security data.

    Detail your monitoring infrastructure, including the tools used, data sources, and alerting mechanisms. Provide examples of how monitoring data is analyzed and used to detect and respond to security incidents.

  32. To what extent are you able to generate effective alerts and identify security incidents from event data?

    Technical Guidance: Configure your SIEM and other monitoring tools to generate actionable alerts based on event data. Use correlation rules, anomaly detection, and threat intelligence to enhance alert accuracy.

    Explain how alerts are generated, prioritized, and investigated. Provide examples of alert use cases and how they have led to the identification and remediation of security incidents.

  33. To what extent do you apply threat intelligence to ensure the adequacy of your monitoring capabilities?

    Technical Guidance: Integrate threat intelligence feeds into your monitoring and detection capabilities. Use platforms like ThreatConnect, Recorded Future, or Anomali to enhance situational awareness.

    Describe how threat intelligence is incorporated into your monitoring strategy, including sources, analysis, and application. Provide examples of how threat intelligence has improved detection and response efforts.

  34. To what extent are baseline patterns of system, network, and user activity captured and used to augment detection capabilities?

    Technical Guidance: Establish baseline patterns of normal activity for systems, networks, and users. Use these baselines to identify deviations and potential security incidents.

    Explain the process of capturing and analyzing baseline activity, including tools and methodologies. Provide examples of how baseline deviations have been detected and addressed.

  35. Do you carry out penetration tests to identify vulnerabilities that may affect your systems, networks, people or processes?

    Technical Guidance: Conduct regular penetration tests to identify vulnerabilities and weaknesses in your security posture. Use internal teams or external providers with certifications like CREST or OSCP.

    Describe your penetration testing process, including scope, frequency, and methodologies. Provide examples of recent penetration tests and the vulnerabilities identified and remediated.

  36. Are detection systems integrated within the organisation’s incident response process?

    Technical Guidance: Ensure detection systems are fully integrated with your incident response process. Use SOAR platforms like Demisto or Phantom to automate incident response workflows.

    Explain how detection systems feed into the incident response process, including alerting, triage, and investigation. Provide examples of how integration has improved response times and effectiveness.

  37. Do you simulate your ability to detect different types of scenarios?

    Technical Guidance: Conduct regular simulations and tabletop exercises to test detection capabilities across various scenarios. Use red teaming and blue teaming exercises to assess readiness.

    Describe the types of scenarios tested and the outcomes of these simulations. Provide examples of lessons learned and improvements made to detection and response processes.

  38. To what extent do you have well-defined cyber incident response planning?

    Technical Guidance: Develop and maintain a comprehensive cyber incident response plan (IRP). Ensure it includes roles, responsibilities, and procedures for different types of incidents.

    Detail your IRP, including how it is developed, maintained, and tested. Provide examples of incidents where the IRP was activated and the outcomes of those responses.

  39. How do you perform triage and categorisation to understand and communicate the type and severity of an incident?

    Technical Guidance: Implement a triage and categorization process for incident response. Use severity levels and impact assessments to prioritize and communicate incidents.

    Explain your triage process, including criteria for categorization and tools used. Provide examples of recent incidents and how they were triaged and communicated to stakeholders.

  40. Does incident response planning processes integrate into crisis management?

    Technical Guidance: Ensure your incident response planning is integrated with overall crisis management processes. Develop communication plans and escalation procedures for major incidents.

    Describe the integration of IRP with crisis management, including coordination between teams and communication strategies. Provide examples of major incidents and how crisis management protocols were enacted.

  41. Do your response plans include proactive communications with third parties and regulators?

    Technical Guidance: Include proactive communication strategies with third parties and regulators in your incident response plans. Establish contacts and protocols for timely notifications.

    Explain your communication plans, including key contacts, communication channels, and notification timelines. Provide examples of incidents where proactive communication was critical to the response effort.

  42. To what extent do you have the capability to perform containment activities that mitigate harm?

    Technical Guidance: Develop capabilities for rapid containment of security incidents. Use network segmentation, access controls, and other techniques to limit the spread of an incident.

    Describe your containment strategies and tools, including examples of how they have been used in past incidents. Provide details on training and preparedness activities to enhance containment capabilities.

  43. To what extent can you perform investigation and eradication activities to remove cyber threats following an incident?

    Technical Guidance: Ensure your incident response plan includes thorough investigation and eradication processes. Use forensic tools and techniques to identify and eliminate threats. Tools like EnCase, FTK, or open-source options like Autopsy can be instrumental in conducting detailed investigations.

    Explain your investigation and eradication process, including the steps taken to gather evidence, analyze compromised systems, and remove malware or other threats. Provide examples of incidents where these processes were effectively applied, detailing the methodologies used and the outcomes achieved.

  44. Do you exercise your ability to respond to a range of cyber scenarios?

    Technical Guidance: Regularly conduct exercises and simulations to test your incident response capabilities across various cyber scenarios. Use both tabletop exercises and live simulations to prepare your team for real-world incidents.

    Describe the range of scenarios tested, including the scope and objectives of each exercise. Provide examples of lessons learned from these exercises and how they have been incorporated into your incident response plans to enhance preparedness and effectiveness.

  45. How do you ensure you are adequately prepared for recovery, following the failure of IT systems or services?

    Technical Guidance: Develop and maintain comprehensive disaster recovery (DR) and business continuity plans (BCP). These plans should outline the steps to recover IT systems and resume critical business operations following a cyber incident.

    Detail your DR and BCP processes, including regular testing and updates. Provide examples of recent DR/BCP tests and any improvements made as a result. Highlight key recovery metrics, such as Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

  46. Do you have recovery plans that cover the recovery of systems and data from an incident caused by a cyber attack?

    Technical Guidance: Ensure your recovery plans specifically address the recovery of systems and data following a cyber attack. Include procedures for restoring data from backups, reconstituting systems, and validating the integrity of restored data.

    Explain the structure of your recovery plans, including roles, responsibilities, and step-by-step procedures. Provide examples of recovery efforts following past cyber incidents, including the effectiveness of your plans and any areas for improvement identified during the recovery process.

  47. Do you hold accessible and secure backups of data and information required to recover the operations of your business services?

    Technical Guidance: Implement a robust backup strategy that includes regular backups of critical data and systems. Ensure backups are stored securely and are readily accessible in the event of an incident. Use encryption and offsite storage to protect backup data.

    Describe your backup processes, including the frequency of backups, storage locations, and security measures. Provide examples of how backups have been used in recovery scenarios, highlighting the speed and reliability of your backup solutions.

  48. Do you perform recovery testing?

    Technical Guidance: Conduct regular recovery testing to ensure your recovery plans are effective and that you can restore systems and data quickly and accurately. Use both full-scale and partial recovery tests to validate different aspects of your recovery capabilities.

    Detail your recovery testing process, including the types of tests conducted and their frequency. Provide examples of recent recovery tests, including test results and any improvements made to your recovery plans based on test outcomes.

  49. To what extent do you proactively engage with your critical third parties and ecosystem partners on detection, response, and recovery activities?

    Technical Guidance: Engage with critical third parties and ecosystem partners to enhance your collective cybersecurity posture. Share threat intelligence, conduct joint exercises, and establish clear communication channels for incident response and recovery efforts.

    Explain how you collaborate with third parties and partners, including specific initiatives and agreements in place. Provide examples of joint activities, such as threat intelligence sharing or coordinated incident response efforts, and their impact on your overall cybersecurity resilience.

  50. Do you have a process in place that incorporates lessons learned from cyber security tests, events and incidents?

    Technical Guidance: Develop a formal process to capture and incorporate lessons learned from cybersecurity tests, events, and incidents. Use post-incident reviews and after-action reports to identify weaknesses and improve your security posture.

    Describe your lessons learned process, including how information is collected, analyzed, and acted upon. Provide examples of changes made to policies, procedures, or controls based on lessons learned from past incidents or exercises.