SURFaudit benchmark information security 2021: steps taken toward cyber maturity, ambition level not yet achieved

The SURFaudit benchmark information security 2021 shows that efforts are still needed to achieve the ambition of an average maturity level of 3. The high participation in the benchmark (51 institutions) does give a clear picture of the areas for improvement. A number of them lend themselves well to being taken up sector-wide.
Omslag van het SURFaudit-benchmark-rapport

Ambition: average maturity level 3

In late 2019, the serious ransomware incident at Maastricht University took place. In response, the institutions and the education umbrella organisations Universities of the Netherlands and Association of Universities of Applied Sciences expressed the ambition to achieve an average maturity level of 3 (on a scale of 5) for the entire SURFaudit Toetsingskader Informatiebeveiliging. Maturity level 3 means that the documentation is in order, there is generally formal approval by the board and that implementation of the measures is demonstrable, tested and effective.

Results SURFaudit benchmark information security 2021

The results (PDF, in Dutch) show that steps have been taken since the 2019 benchmark. However, the report shows that with an average score of 2.2 on the 2021 benchmark, the ambition to reach an average maturity level of 3 has not yet been achieved. Institutions need more time to put their information security processes (better) in place; as a 1 step increase in maturity level will soon take several years.

Taking resilience-enhancing measures together

A number of topics lend themselves well to a joint approach: information security risk management, logging and monitoring, control of cloud use and outsourcing. The CISOs of the universities and colleges have already identified these topics as spearheads. In the SURF Innovation Zone 'State of the art Cyber Security', too, these topics are further elaborated in collaboration with the institutions. Thus, as a sector, we are jointly taking unambiguous resilience-enhancing measures.

About the SURFaudit benchmark

The SURFaudit benchmark measures the maturity of the higher education sector in terms of cyber security using management measures from the SURFaudit Information Security Assessment Framework. Read more about SURFaudit benchmark.

Download the report SURFaudit-benchmark information security 2021(in Dutch)