dbosk
commented
5 years ago There are many things that I'm thinking should be P-F only. So I'm in favour of that.
The only things I can see as sensible criteria are : clarity of the report, thoroughness in the "investigation" (motivations for why improvements are not needed). The former is not reason to distinguish an A from an E, rather VG from G. The latter might not be relevant, depends on how specific the framework is.
Should this be a Pass or Fail assignment? If the students performs the project at a company that already have an ISMS in place, they usually don't find anything to report, nor are they able to give insightful suggestions on how to better the security. This can therefore not be the grading criteria (or part of if at least). The rest is mainly just that they have performed the project and followed the template.