If you are familiar with the topic of information security, then compose such a test of a dozen questions on your own in half an hour, well, let it take an hour. And for checking your sponsored employees, such a test will be better than a ready-made one found somewhere.
And if you are not very familiar with the topic, then the ready-made test will not only not help, but will also mislead you, because. check the answers will have formally. And in fact, good answers will be formally recognized as wrong. Those. a competent employee may well get a worse result in the test than a not very literate one (randomness). This can often be seen with tests offered by HR at interviews, when these tests are found by HR themselves on the Internet. But there you can find an excuse - they have a hopeless situation when there is simply no one to evaluate applicants.
You have such a hopeless situation and there is no such excuse. So either independently and thoughtfully test with your own questions, or not at all.

Spherical IB tests in a vacuum are only useful for working in the same company that is spherical in a vacuum.
In reality, it is necessary to assess the risks, probabilities, administrative organizational processes, etc. After all, IS is not only a technical part, but also an organizational part (the processes of creating accounts for employees, issuing the necessary powers, etc. storing data - including on tables and in nightstands, passwords from a computer under the keyboard) - this is all also IB.

Hire a specialist who will conduct an audit and issue recommendations. If you are not a security person, then where is the guarantee that IT specialists will not simply deceive you, taking advantage of your ignorance?
Well, and all sorts of basic things, like not working from under the admin, not turning off firewalls and UAC, blocking the computer moving away from it, changing passwords regularly ...