Gradient

A-Rating Requirements

ID
Question
Explanation
B1
Question
Do you have a current information security policy (or IT security policy) that applies to your company?
Explanation

The information security policy must cover the essential requirements for information security (all core topics - if applicable - must be described in this policy) and should be based on an existing set of rules (e.g. ISO 27001/27002, NIST 800, IT Grundschutz, IT security manual WKO etc.). The policy must be approved by management and available to all employees.

B2
Question
Do you regularly train your employees in Information Security?
Explanation

The training must cover the content of the information security policy and address current threats. The content must include at least the following topics:

  • Proficient use of computers and information
  • Select and manage passwords correctly
  • Safe on the Internet (e.g. use of company data in AI services and social networks)
  • Emails, spam, and phishing
  • Dangerous malware
  • Behavior and procedure if an IT security incident is suspected

Full training must take place at least upon entry and updated information must be communicated at least every two years.

B3
Question
Is there one or more designated people in your company who are responsible for information security?
Explanation

There must be at least one named person who is responsible for the topic of information security, i.e. who creates the policy and takes care of the implementation of the measures and is given the necessary time for this. This person must have the necessary basic technical knowledge of the topics and keep themselves informed about cyber risks. This activity can be carried out in addition to other activities or can also be carried out by external parties on behalf of the company.

B4
Question
Do you regularly maintain a record of all your IT assets and services (including cloud services) and associated responsibilities?
Explanation
  • There must be a directory of all IT assets used (systems, services - cloud and on-premise). This directory must at least contain the name and version of the system and the person responsible for it.
  • The directory must be kept complete and up to date.
B5
Question
Do you manage system access according to an authorization concept that only grants everyone the rights necessary for his work?
Explanation
  • Both access to the applications and to the file systems must be regulated and correctly set authorizations must be used to ensure that only those people who have a need for it based on their job profile (need-to-know) can access it.
  • There is a documented procedure for granting and revoking permissions.
B6
Question
Do you require your employees to use passwords with a secure minimum strength for all applications?
Explanation

There must be clearly described minimum criteria for passwords, which implement the recommendations of current standards (password strength, two-factor authentication where necessary and appropriate, separation of passwords, etc.) Reference: BSI, NIST 800, etc.

B7
Question
Do you use the security settings recommended by the manufacturer and do you ensure that all your IT systems are securely configured?
Explanation

There must be a document that describes the requirements for the safe configuration of the systems used. References to manufacturer recommendations are sufficient. These settings must also be actually implemented on all devices used - as far as technically possible. Alternatively, a vulnerability scan is verifiably carried out before commissioning.

B8
Question
Do you check - if available - individually developed applications accessible from the Internet for security gaps before going live?
Explanation

Individual software (e.g. adapted open source software, but not standard software) that can be accessed from the Internet must be checked for vulnerabilities before being put into operation using a penetration test adapted to the individual software.

B9
Question
Do you regularly update all IT systems and applications with security updates?
Explanation
  • Regularly update the systems with updates provided by the manufacturer. No system update must be more than one quarter overdue (unless there is a documented reason why an update cannot be applied)
  • Systems that are no longer provided with security updates by the manufacturer are decommissioned in a timely manner or there are defined exception processes including a list of deviations.
B10
Question
Do you protect your network against unauthorized access from outside?
Explanation

A network segmentation device (e.g. firewall, router, etc.) is in use, which limits network traffic from the Internet to the internal network based on rules that are as restrictive as possible.

B11
Question
Do you monitor your IT systems for malware?
Explanation

At least antivirus software must be in use, which continuously checks the systems and files for malware. The software must be continually updated and this update must be checked centrally at least once a month. In the event of suspicion, the company will be alerted.

B12
Question
Do you encrypt sensitive data when transmitted over the Internet?
Explanation
  • It must be possible to transfer files in encrypted form, either via email (e.g. S/MIME, PDF encrypted, mandatory enforced TLS, etc.) or via encrypted upload.
  • Form data on the website is only uploaded via https.
B13
Question
Do you log the use of your IT systems to make security incidents traceable?
Explanation
  • At least the standard protocols of the operating systems must be activated. The logs must be available to the company.
  • There is an overview of all active system logs and their location.
  • The logs are kept for at least three months.
B14
Question
Do you have an emergency plan in place to respond to an IT security incident?
Explanation

The emergency plan must describe how to respond to a serious IT security incident. Serious security incidents include:

  • System failure,
  • Malware infection (including cryptolocker) as well
  • Data leakage

Plans must be tested at least every two years. The test must include at least data and service recovery.

A1
Question
Do you check IT systems in your network for security gaps?
Explanation
  • A vulnerability scanning tool must be in use and must be used at least once per month.
  • The scan must check the entire IP range of the internal IT networks as well as IT systems accessible from the Internet. Unauthorized devices must also be identified.
  • Measures are derived and implemented from the security gaps found.
A2
Question
Do you have mechanisms in place that check the security when creating or purchasing individually developed software?
Explanation

There is a policy for secure software development, which includes security requirements, secure coding rules and a testing concept. The policy for secure software development must also address the issue of Software Bill of Materials (SBOM) (from 2025 at the latest). When purchasing software, there is a security requirements list and a risk analysis process from the provider/manufacturer.

A3
Question
Do you carry out penetration tests in your system landscape?
Explanation
  • Penetration tests are carried out at least every two years to check the vulnerability of the company.
  • Measures are derived and implemented from the vulnerabilities found.
A4
Question
Do you monitor your networks for unusual activities or anomalies?
Explanation

At least one technology must be in use that is able to detect and centrally report intrusions or anomalies in the system landscape (network, endpoint, clients, server, cloud).

A5
Question
Do you have whitelisting and Cloud Access Security Brokers (CASB) in place to prevent unauthorized processes and applications from running?
Explanation

A technology must be active on all clients and servers so that only allowed processes and applications can run. A CASB is used for cloud services to only be able to run approved cloud applications. Unknown activities are prevented, reported and the reports are investigated.

A6
Question
Do you protect identities, access and authorizations in an appropriate and traceable manner?
Explanation
  • Identity and authorization management is in use, which makes all identities and their authorizations clearly traceable on a person-by-person basis.
  • Authorization management must also include administrative authorizations and authorizations for access to customer systems.
  • Use of multi-factor authentication, especially for externally accessible systems such as: VPN, Jump hosts, Remote Support Tools, Webmail and other web services.
A7
Question
Do you use technology that automatically correlates and analyzes the log files of your systems?
Explanation

A technology (e.g. SIEM) is in use, to which at least the critical network and security systems are connected and whose log files are continuously correlated and analyzed for irregularities.

A8
Question
Do you have or use a Security Operations Team?
Explanation
  • The company must have employees with proven qualifications in the area of IT security who perform ongoing monitoring as their main task, or there must be an SLA/contract with a corresponding company that takes over ongoing monitoring.
  • Suspected cases must be investigated and, in the case of confirmed incidents, an alarm must be raised and, if relevant, affected customers must be informed.
A9
Question
Can you access qualified resources in the event of a serious security incident?
Explanation

Employees with proven qualifications in the areas of indepth incident response and IT forensics must be employed in the company or there must be an SLA/contract with a corresponding company, or access to one must be covered by cyber insurance.

A10
Question
Do you ensure your operational continuity through a tested resilience concept or a resilient architecture?
Explanation
  • The resilience concept must include preventive and reactive measures in order to be able to respond to serious security incidents and thus ensure operational continuity. Serious security incidents include:
    • Failure of the systems (including power failure, failure of the internet connection)
    • Malware infection (including cryptolocker)
    • Data leakage
    • Targeted hacking attacks (e.g. APTs)
  • When operating critical applications in the cloud, these measures and tests must be proven by the cloud operator (e.g. via ISAE 3402 reports).
  • Tests must be carried out at least once a year and necessary improvement measures must be implemented.
A11
Question
Do you have a process for managing your supplier risks?
Explanation

There must be a documented process that ensures in advance and on an ongoing basis that suppliers also manage their cyber risks appropriately.