The EDUCAUSE HEISC assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002:2013 "Information Technology Security Techniques. Code of Practice for Information Security Management."
This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by the chief information officer, chief information security officer or equivalent, or a designee. There are a total of 101 questions. On average it takes about 2 hours for an information security officer or equivalent familiar with their environment to complete this tool.
The self-assessment has been designed to be completed annually or at the frequency your institution feels is appropriate to track maturity. The assessment tool uses the ISO 21827:2008 framework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maturity:
0. Not Performed
1. Performed Informally
3. Well Defined
4. Quantitatively Controlled
5. Continuously Improving
Answer each question by selecting the appropriate level of maturity, 0–5. Each ISO section will be added up then averaged to provide a maturity assessment for the given section.