Security Assessment Questionnaire
The core assessment is a 20-question questionnaire organized into five security categories. Each category contains four questions that evaluate your organization’s maturity in that domain.Assessment Categories
| Category | Focus Areas | Questions |
|---|---|---|
| Governance | Security policies, roles and responsibilities, management commitment, compliance awareness | 4 |
| Access Control | User provisioning, authentication, access reviews, privilege management | 4 |
| Data Protection | Encryption, data classification, backup and recovery, data handling procedures | 4 |
| Operations | Change management, incident response, monitoring, vulnerability management | 4 |
| Risk Management | Risk identification, risk treatment, vendor management, business continuity | 4 |
Taking the Assessment
Start the Assessment
Navigate to Compliance > Assessments and click Start Assessment. You can save progress and return later if needed.
Answer Questions
Each question presents multiple-choice options reflecting different maturity levels. Answer honestly based on your current state, not your planned state. Accurate answers produce more useful results.
Review and Submit
After answering all 20 questions, review your answers on the summary page. You can go back and change responses before submitting.
Gap Analysis and Scoring
How Scoring Works
The assessment produces a score from 0 to 20 (one point per question). This raw score translates into a percentage:- 16-20 (80-100%) - Strong compliance posture with minor gaps
- 12-15 (60-79%) - Moderate compliance posture with notable gaps to address
- 8-11 (40-59%) - Significant gaps requiring focused remediation
- 0-7 (0-39%) - Major gaps across multiple security domains
Assessment to Control Mapping
After scoring, LowerPlane maps your assessment results to specific controls across all enabled frameworks:- Each question’s answer determines the implementation status of related controls
- The company_controls table is updated with status per framework
- Controls related to low-scoring questions are flagged as gaps
- A prioritized roadmap is generated based on control importance, cross-framework coverage, and dependencies
The assessment does not replace a full audit. It provides a starting point to understand where you stand and what to prioritize. As you implement controls and collect evidence, your actual readiness score (visible on the dashboard) will diverge from the initial assessment score.
Readiness Scoring Per Framework
After the assessment, LowerPlane calculates a readiness score for each enabled framework individually. This shows you how close you are to audit readiness for each specific framework. The readiness score combines three factors:Control Coverage
Percentage of the framework’s controls that are implemented or partially implemented. This is the largest component of your readiness score.
Evidence Coverage
Percentage of required evidence that has been collected and is still within its validity period. Expired evidence reduces your score.
Policy Coverage
Percentage of required policies that have been published and acknowledged by relevant employees. Draft or unapproved policies do not count.
Interpreting Readiness Scores
| Score Range | Interpretation | Recommended Action |
|---|---|---|
| 90-100% | Audit-ready | Schedule your audit with confidence |
| 75-89% | Nearly ready | Address remaining gaps and verify evidence freshness |
| 50-74% | In progress | Focus on high-priority controls and automated evidence collection |
| Below 50% | Early stage | Prioritize foundational controls and connect key integrations |
Compliance Dashboard Metrics
Your compliance dashboard aggregates assessment and readiness data into actionable metrics:- Overall readiness - Weighted average across all enabled frameworks
- Per-framework scores - Individual readiness for each framework displayed as progress bars
- Category breakdown - Scores by security domain (governance, access control, data protection, operations, risk management)
- Trend over time - How your scores have changed since the initial assessment
- Top gaps - The highest-priority controls that are not yet implemented
- Recent progress - Controls implemented, evidence collected, and policies published in the last 30 days
Dashboard metrics refresh periodically using materialized database views. There may be a short delay between making changes and seeing them reflected in the dashboard scores.
Audit Preparation
When your readiness scores indicate you are approaching audit readiness, LowerPlane helps you prepare:Audit Package Generation
LowerPlane can generate a comprehensive audit package that includes:- Control implementation matrix with evidence references
- All published policies with acknowledgment records
- Evidence artifacts organized by framework and control
- Risk register with treatment plans
- Vendor assessment summaries
- Test results and monitoring reports
Auditor Portal Access
You can grant auditors read-only access through the Auditor Portal. This gives them a structured view of your compliance program without access to modify anything. See Auditor Portal for configuration details.Pre-Audit Checklist
Evidence review
Evidence review
Filter your evidence library for expired or soon-to-expire items. Refresh any stale evidence before the audit begins. Ensure all controls marked as “Implemented” have valid, current evidence attached.
Policy review
Policy review
Verify all required policies are in “Published” status with employee acknowledgments complete. Check that policy review dates are current and version history is clean.
Control owner verification
Control owner verification
Ensure every control has an assigned owner who can answer auditor questions about their controls. Brief control owners on what to expect during the audit.
Gap documentation
Gap documentation
For any controls marked as “Not Applicable” or “Partially Implemented,” prepare written justifications. Auditors will ask about these, and documented rationale speeds up the process.
Test results
Test results
Review automated and manual test results. Ensure all tests have been run recently and any failures have been remediated or documented with compensating controls.
Reassessments
Your compliance posture changes over time as you implement controls, connect integrations, and update policies. LowerPlane supports reassessments to track progress:- Retake the questionnaire at any time to get an updated baseline
- Compare scores between assessments to measure improvement
- Track trends on the dashboard to visualize your compliance journey over time