About this program
A 25-question check across the six NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover. After each answer, expand the “Auditor’s view” for how to test the control, what evidence to collect, and the ideal response.
Controls (24)
-
Is there a documented cybersecurity strategy that aligns with business objectives and is reviewed annually by leadership?
MediumIs there a documented cybersecurity strategy that aligns with business objectives and is reviewed annually by leadership?
How to test + evidence
Risk: A reviewed strategy is alive — auditors discount unreviewed documents as nominal.
Testing procedure: Inspect the strategy document. Verify board/leadership approval + last review within 12 months. Confirm strategic objectives map to business outcomes.
Evidence to collect: Cyber strategy document with version Board minutes referencing strategy Annual review log Mapping to business objectives
-
Are cyber roles, responsibilities, and accountabilities clearly defined and communicated?
MediumAre cyber roles, responsibilities, and accountabilities clearly defined and communicated?
How to test + evidence
Risk: Without RACI, gaps and conflicts hide in everyday process. Auditors trace specific activities to people.
Testing procedure: Inspect RACI matrix + named executive sponsor. Test by asking 3 random staff who owns IR / privacy / vendor risk.
Evidence to collect: RACI matrix with named individuals Executive sponsor with delegation Job descriptions referencing cyber duties
-
Is there a formal cyber risk register reviewed by management at least quarterly?
MediumIs there a formal cyber risk register reviewed by management at least quarterly?
How to test + evidence
Risk: Quantified + quarterly forces real conversation. Annual qualitative registers produce noise that doesn't inform decisions.
Testing procedure: Inspect risk register + last 4 quarterly reviews. Verify risks have owners + treatment decisions.
Evidence to collect: Risk register snapshot Quarterly review minutes Risk treatment plans with owners Risk appetite statement
-
Do you have a third-party / supply-chain risk management programme (assessments, monitoring, contractual controls)?
MediumDo you have a third-party / supply-chain risk management programme (assessments, monitoring, contractual controls)?
How to test + evidence
Risk: Most breaches now arrive via supply chain. Continuous monitoring catches degradation between onboarding and incident.
Testing procedure: Sample 25 vendors. Verify questionnaire on file, contractual clauses, ongoing monitoring (security ratings).
Evidence to collect: Vendor register with criticality Onboarding security questionnaires Contractual IS clauses Continuous monitoring tooling output
-
Do you have an up-to-date inventory of hardware, software, and data assets?
MediumDo you have an up-to-date inventory of hardware, software, and data assets?
How to test + evidence
Risk: Automated discovery catches shadow IT; manual inventories miss it. You can't protect what you don't know you have.
Testing procedure: Inspect asset inventory. Sample 10 assets observed in walkthrough — confirm in inventory.
Evidence to collect: Asset inventory export Discovery tooling (Lansweeper, Tanium, ServiceNow) Last review date
-
Is sensitive data classified and labelled (e.g. confidential, internal, public)?
MediumIs sensitive data classified and labelled (e.g. confidential, internal, public)?
How to test + evidence
Risk: Automated classification + DLP makes labels enforceable. Policy without enforcement is theatre.
Testing procedure: Inspect classification policy + sample data assets. Verify labels applied + DLP rules enforce restrictions.
Evidence to collect: Classification scheme Sample labelled assets DLP rules per classification Records of processing
-
How mature is your vulnerability management programme?
MediumHow mature is your vulnerability management programme?
How to test + evidence
Risk: Risk-based + KEV aligned is the modern bar. Equal-severity patching wastes resources without reducing risk.
Testing procedure: Inspect scanner output + patching SLAs. Sample 10 critical CVEs from period and confirm SLA met.
Evidence to collect: Vuln scanner reports Patch SLA per severity KEV monitoring Sample patch deployment records
-
How are identities and access managed?
MediumHow are identities and access managed?
How to test + evidence
Risk: Identity is the new perimeter. SSO + MFA + JIT eliminates standing privilege as the most-attacked target.
Testing procedure: Inspect SSO + MFA coverage. Verify privileged access governed (PAM, JIT). Sample access reviews.
Evidence to collect: SSO app catalogue MFA policy + login records PAM tooling logs Quarterly access review reports
-
How are endpoints protected?
MediumHow are endpoints protected?
How to test + evidence
Risk: EDR + FDE is the modern endpoint baseline. Configuration management prevents drift.
Testing procedure: Pull EDR + FDE + MDM coverage reports. Sample 10 endpoints; verify each has full stack.
Evidence to collect: EDR coverage report FDE status MDM enrolment + compliance Configuration baseline
-
Is sensitive data protected with encryption (at rest, in transit) and DLP?
MediumIs sensitive data protected with encryption (at rest, in transit) and DLP?
How to test + evidence
Risk: Encryption everywhere is necessary; DLP enforcement is what stops the data leaving.
Testing procedure: Verify encryption-at-rest on storage + databases. Inspect DLP rules + alerts.
Evidence to collect: Encryption status per service KMS / key management config DLP rules + sample alerts Classification labels
-
Is security awareness training delivered consistently across the organisation?
MediumIs security awareness training delivered consistently across the organisation?
How to test + evidence
Risk: Annual training has decaying effect. Continuous + simulations changes behaviour.
Testing procedure: Pull training matrix + completion. Inspect simulated phishing reports.
Evidence to collect: Training catalogue with role mapping Completion percentages Phishing simulation results trend
-
Is your network segmented and protected with modern controls (NGFW, ZTNA, microsegmentation)?
MediumIs your network segmented and protected with modern controls (NGFW, ZTNA, microsegmentation)?
How to test + evidence
Risk: Flat networks let ransomware spread. Zero-trust is the modern target.
Testing procedure: Inspect network architecture + firewall rule set. Test east-west blocking.
Evidence to collect: Network architecture diagram Firewall rule set + last review ZTNA deployment status
-
Are logs centralised in a SIEM with detection rules tuned to your environment?
MediumAre logs centralised in a SIEM with detection rules tuned to your environment?
How to test + evidence
Risk: Tuned detection content turns logs into actionable signal. Default rules miss the specific TTPs in your environment.
Testing procedure: Inspect SIEM coverage + detection rules. Sample alerts triaged in the period.
Evidence to collect: SIEM coverage matrix Detection rule list with last-tuned dates MITRE ATT&CK coverage Threat hunt reports
-
Who monitors security alerts and how often?
MediumWho monitors security alerts and how often?
How to test + evidence
Risk: 24/7 collapses dwell time. Business-hours-only response means an attack on Friday evening has all weekend.
Testing procedure: Inspect SOC roster / MDR contract. Verify mean-time-to-acknowledge metric.
Evidence to collect: SOC roster / MSSP contract On-call schedule MTTA / MTTR metrics
-
Do you consume and act on threat intelligence relevant to your industry?
MediumDo you consume and act on threat intelligence relevant to your industry?
How to test + evidence
Risk: Integration into detection content is what makes intel actionable. Manual review at scale doesn't convert to defence.
Testing procedure: Inspect intel sources + workflow. Trace 3 specific items to actions.
Evidence to collect: Threat intel feeds + ingest method Sample detection rules sourced from intel Briefings to leadership
-
Are user and entity behaviour anomalies (UEBA) monitored?
MediumAre user and entity behaviour anomalies (UEBA) monitored?
How to test + evidence
Risk: UEBA catches account takeover that signature detection misses. Auto-response collapses time-to-contain.
Testing procedure: Inspect UEBA tooling + sample alerts. Verify auto-response on high-risk sign-ins.
Evidence to collect: UEBA tool config Sample anomaly alerts Auto-response policy (token revocation, MFA challenge)
-
Do you have a written incident response plan with playbooks for common scenarios?
MediumDo you have a written incident response plan with playbooks for common scenarios?
How to test + evidence
Risk: Generic plans rarely survive specific scenarios. Scenario playbooks force the right pre-decisions.
Testing procedure: Inspect IR plan + scenario playbooks. Verify last tabletop after-action.
Evidence to collect: IR plan with version + approval Scenario playbooks Latest tabletop after-action report
-
When did you last run a tabletop exercise involving the executive team?
MediumWhen did you last run a tabletop exercise involving the executive team?
How to test + evidence
Risk: Tabletops surface decision-making gaps no document review can. Exec team needs to make hard calls before live event.
Testing procedure: Inspect after-action report + executive attendance.
Evidence to collect: Tabletop attendance list Scenario brief Action tracker
-
Do you have an IR retainer or breach coach pre-agreed?
MediumDo you have an IR retainer or breach coach pre-agreed?
How to test + evidence
Risk: IR firms saturate during major events. Retainer guarantees response.
Testing procedure: Inspect retainer contract. Confirm 24/7 contact + last test call.
Evidence to collect: Retainer contract Escalation runbook Test call log
-
Is there a clear communications plan for incidents (internal, customer, regulator, media)?
MediumIs there a clear communications plan for incidents (internal, customer, regulator, media)?
How to test + evidence
Risk: Comms drive press perception + legal exposure. Drafting under pressure produces wrong words.
Testing procedure: Inspect comms plan + templates per audience.
Evidence to collect: Comms plan with approval flow Templates per audience Regulator notification timelines
-
Are backups isolated, immutable, and tested?
MediumAre backups isolated, immutable, and tested?
How to test + evidence
Risk: Immutable + tested defeats ransomware's most damaging move. Untested is faith.
Testing procedure: Inspect backup architecture + restore test report.
Evidence to collect: Backup architecture diagram Immutability config Restore test report
-
Are RTO and RPO defined for critical systems and validated?
MediumAre RTO and RPO defined for critical systems and validated?
How to test + evidence
Risk: Tested RTO is what you can commit to. Untested is wishful thinking.
Testing procedure: Inspect BIA + restore drill report.
Evidence to collect: BIA with RTO/RPO Restore drill report Plans updated where missed
-
Is there a written disaster recovery / business continuity plan?
MediumIs there a written disaster recovery / business continuity plan?
How to test + evidence
Risk: Annual exercise validates the plan. Documented but unexercised plans fall apart on contact with reality.
Testing procedure: Inspect BCP/DR plan + last exercise report.
Evidence to collect: BCP/DR plan with version Last exercise report Lessons learned actioned
-
Are post-incident lessons-learned captured and acted on?
MediumAre post-incident lessons-learned captured and acted on?
How to test + evidence
Risk: Lessons closed and reflected in updates turn each incident into improvement. Without action closure you fix the same issue six times.
Testing procedure: Inspect post-mortem template + completed examples + action tracker.
Evidence to collect: Post-mortem template Sample post-mortems Action tracker with closure