There are so many questions in the Standard Requirements Self Assessment Guide – will I get pushback from my clients?

The Standard Requirements Self Assessment Guides are quite popular with consultants and executives. They use the Assessment Guides as part of their annual benchmarks and prior to improvement projects to identify areas to tackle.

Some subject are more involved then others. Take for example Identity and Access Management. Earlier in the week we received a question from a client around Identity and Access Management and how to use the Self Assessment Guide in such a way that it achieves the best possible results.

Identity and Access Management is a complex subject with many different areas to consider. That’s why the Self Assessment Guide contains 905 different Standard Requirements questions.

At first glance, you may find this overwhelming and question the applicability of the Self Assessment in a practical situation.

Take for example the following question from one of our clients who is a senior consultant specialising in Security and Access Management.


“I was looking through the pdf/xls. These questions while good, and helpful for a consultant going to a client with requiring to complete assessment. My only concern is the number of questions they would need to answer and would create a pushback. With that in view would you have a smaller power packed set of questions, that should paint an equally representative view?”


There is no need to answer all questions, ideally it is, but not all questions will be relevant to the specific clients’ situation.
To specifically start with less criteria, I’d recommend start with the ones which are specific IAM related criteria, and less aimed at the (process) management criteria, which are of the generic applicable kind. (see example below)


  • Administration – What is in place to develop and maintain an appropriate IAM strategy, policies, procedures, and ongoing operations?
  • Are appropriate measures in place to deter, prevent, and detect attempts at evading iam processes?
  • Are Forensic investigations of security incidents possible, for example, who accessed my application yesterday at 2 AM?
  • Are hybrid clouds in our future?
  • Are IAM procedures correctly followed and does the IAM solution work as it should?
  • Can I live with the built-in capabilities of the IoT platforms?
  • Can I reuse my existing identities and access policies?
  • Can it handle your organization in the future?
  • Do we work towards a future of cloud-based integration Platform as a Service (iPaaS) and leave on-premises integration behind?
  • Do you need end-to-end authentication and authorization?
  • Does a provisioning solution support integration with our on-premise identity repository?
  • Is IAM worth it?
  • Is Internal IAM Inhibiting Value, and When Is IDaaS an Answer?
  • is the access and activity monitored, logged, and reported appropriately?
  • is the access appropriate for the job being performed?

Feel free to contact us for additional support and to answer any of your questions.

For more information on the Self Assessments and a full overview of the available topics, go to