Controls represent good safety practices applicable to most organizations. According to ISO/IEC 27002:2005, they are policies, practices, procedures, organizational structures, and software configurations. Safety-related hardware devices are also included. They aim at decreasing or eliminating vulnerabilities, inhibiting threats, or minimizing impacts caused by incidents.
A questionnaire is a response form for a knowledge base that was associated with an asset component. It can be completed by means of manual responses provided by the analyst, automatically through the answers provided to interviews by interviewees or reviewers, or automatically by means of the results of automated collections. It is comprised of a series of controls and the respective functions to answer whether or not each control was implemented.
There are three possible statuses for questionnaires:
•Not Open: the questionnaire has never been opened.
•Open: it has been opened by the analyst, though not necessarily have any controls been answered.
•Closed: the questionnaire has been answered and closed by the analyst.
Questionnaires can be answered online through the system or offline through either a mobile device or an Excel spreadsheet. For details on answering a questionnaire through a mobile device, see Mobile Applications.