Risk Assessment Questionnaire

Assess controls across 15 cybersecurity domains. Answers of No, Partially, or Not Sure will generate risks mapped to NIST CSF 2.0.

15 of 15 controls assessed

100%

01·Identity & Access Management

Is multi-factor authentication (MFA) enforced for all employees on critical systems?

Protect

02·Identity & Access Management

Is a formal password policy defined, documented, and technically enforced?

Protect

03·Access Management

Are user access reviews performed at least quarterly for privileged systems?

Protect

04·HR Security

Are formal onboarding and offboarding procedures used to grant and revoke access?

Protect

05·Data Protection

Is sensitive data encrypted at rest and in transit across all production systems?

Protect

06·Resilience

Are backups tested through documented restore exercises at least annually?

Recover

07·Incident Response

Is a documented incident response plan in place and tested annually?

Respond

08·Awareness & Training

Do all employees complete security awareness training at hire and annually?

Protect

09·Third-Party Risk

Are vendors risk-assessed before onboarding and reviewed annually?

Govern

10·Vulnerability Management

Are systems scanned for vulnerabilities monthly with remediation SLAs?

Identify

11·Logging & Monitoring

Are security logs centrally collected and reviewed for anomalies?

Detect

12·Governance

Are security policies documented, approved, and reviewed annually?

Govern

13·Asset Management

Is there a complete and up-to-date inventory of hardware and software assets?

Identify

14·Endpoint Security

Is endpoint protection (EDR) deployed on every corporate device?

Protect

15·Business Continuity

Is a business continuity / disaster recovery plan documented and tested?

Recover