Skip to main content

Free audit program · v1.0.0

Ransomware Readiness Assessment

How prepared is your organisation for the #1 cyber threat to businesses?

  • Ransomware Readiness Assessment target area
  • framework
  • 20 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

This 20-question check covers the controls, processes and habits that make the difference between a contained ransomware incident and a business-shutting one. After each answer, expand the “Auditor’s view” for how to test the control, what evidence to collect, and the ideal response.

Controls (20)

  1. Is multi-factor authentication enforced on all email, VPN, admin and remote access accounts?

    Medium

    Is multi-factor authentication enforced on all email, VPN, admin and remote access accounts?

    How to test + evidence

    Risk: Stolen credentials drive most ransomware. MFA everywhere — including service accounts and break-glass — is the single highest-impact control.

    Testing procedure: Inspect IDP conditional access. Sample 10 admin + 10 user logins from the audit log; verify MFA challenge for each. Check legacy auth is blocked.

    Evidence to collect: CA policies covering email, VPN, admin, remote access Sample login records showing MFA Configuration showing legacy auth blocked Service account inventory + protection mechanism

  2. How quickly do you patch internet-facing systems (firewalls, VPNs, web servers, email servers)?

    Medium

    How quickly do you patch internet-facing systems (firewalls, VPNs, web servers, email servers)?

    How to test + evidence

    Risk: Internet-facing systems are the most common ransomware initial access vector. KEV-listed vulns require 7-day SLA.

    Testing procedure: Pull the inventory of internet-facing systems. Cross-reference against CISA KEV catalogue for any known-exploited vulns. Sample 10 critical CVEs from the period and confirm patch SLA met.

    Evidence to collect: Inventory of internet-facing systems Vulnerability scanner reports KEV monitoring + alerting Patch deployment records meeting SLA

  3. Do you run an EDR / next-gen AV on every endpoint and server (CrowdStrike, SentinelOne, Defender for Endpoint, etc.)?

    Medium

    Do you run an EDR / next-gen AV on every endpoint and server (CrowdStrike, SentinelOne, Defender for Endpoint, etc.)?

    How to test + evidence

    Risk: EDR detects ransomware operator behaviours (Cobalt Strike, lateral movement, mass file rename) that AV misses. 24/7 review collapses dwell time.

    Testing procedure: Pull the EDR coverage report. Verify it matches the asset inventory (no gaps). Sample alerts from the period and confirm investigation timestamps.

    Evidence to collect: EDR coverage report (% of endpoints + servers) Sample alerts triaged with timestamps 24/7 SOC roster or MDR contract Auto-isolation policy for high-severity alerts

  4. How does your organisation defend against phishing — the most common ransomware entry point?

    Medium

    How does your organisation defend against phishing — the most common ransomware entry point?

    How to test + evidence

    Risk: Most ransomware operators get in through email. Stack + training together reduces successful phishing by an order of magnitude.

    Testing procedure: Inspect email security tooling, DMARC config, training cadence, and simulated phishing reports. See the Phishing Vulnerability assessment for detailed checks.

    Evidence to collect: Email security gateway config DMARC policy at p=reject Simulated phishing report with click + report rates Training completion + role-based content

  5. Do regular users have local admin rights on their workstations?

    Medium

    Do regular users have local admin rights on their workstations?

    How to test + evidence

    Risk: Local admin enables ransomware to disable EDR, delete shadow copies, and spread laterally. Removing it adds significant friction to the attack chain.

    Testing procedure: Pull the local-admin membership across endpoints. Verify regular users are not local admins. Check JIT elevation tooling logs for sample elevations.

    Evidence to collect: Local admin membership audit (per endpoint) JIT elevation tooling logs Approved exception list with justification + review date

  6. Are logs from endpoints, servers, identity provider and firewalls centralised in a SIEM or log platform?

    Medium

    Are logs from endpoints, servers, identity provider and firewalls centralised in a SIEM or log platform?

    How to test + evidence

    Risk: Tuned detection content turns logs into actionable signal. Default rules miss the specific TTPs used by active ransomware groups.

    Testing procedure: Inspect SIEM coverage matrix. Verify detection content tuned for known ransomware TTPs (Cobalt Strike, PsExec abuse, suspicious PowerShell, mass file rename).

    Evidence to collect: SIEM coverage matrix (which systems forward what) Detection rule list with last-tuned date MITRE ATT&CK coverage map Sample alerts triaged with disposition

  7. Do you act on threat intelligence about active ransomware groups (TTPs, IOCs, exposed credentials)?

    Medium

    Do you act on threat intelligence about active ransomware groups (TTPs, IOCs, exposed credentials)?

    How to test + evidence

    Risk: Active ransomware groups telegraph their TTPs. Automated ingest closes the gap from intel to detection.

    Testing procedure: Inspect threat-intel sources + the workflow that converts intel to detection content / patch priority. Sample 3 specific intel items and trace to action.

    Evidence to collect: Threat intel feeds list + ingest method Sample detection rules sourced from intel Patch prioritisation linked to active campaigns Briefings to leadership on relevant TTPs

  8. When did you last scan your external attack surface (exposed ports, RDP, services, leaked credentials)?

    Medium

    When did you last scan your external attack surface (exposed ports, RDP, services, leaked credentials)?

    How to test + evidence

    Risk: Continuous ASM catches exposed services hours after they appear. Quarterly scans miss the window most ransomware operators exploit.

    Testing procedure: Inspect external attack surface management (ASM) tooling output. Sample findings and verify remediation timelines.

    Evidence to collect: ASM tool output (Censys, Shodan, RiskIQ, etc.) Findings register with severity + status Sample remediation tickets Credential leak monitoring service output

  9. Do you have detections for the early stages of ransomware (Cobalt Strike, PsExec, abuse of legitimate tools, suspicious PowerShell)?

    Medium

    Do you have detections for the early stages of ransomware (Cobalt Strike, PsExec, abuse of legitimate tools, suspicious PowerShell)?

    How to test + evidence

    Risk: Most ransomware spends days inside the network before encryption. Detection of the early stages is the difference between blocked and business-ending.

    Testing procedure: Inspect detection coverage map against MITRE ATT&CK techniques used by ransomware operators. Sample threat-hunting exercises in the period.

    Evidence to collect: Detection content mapped to MITRE ATT&CK Threat-hunt reports with hypothesis + outcome Sample detections that fired in the period

  10. Do you have a written ransomware-specific incident response plan?

    Medium

    Do you have a written ransomware-specific incident response plan?

    How to test + evidence

    Risk: Ransomware decisions need pre-thought. Trying to decide whether to pay during the active incident under press attention guarantees a bad answer.

    Testing procedure: Inspect the ransomware-specific playbook. Verify pre-decisions on isolation, ransom payment authority, communications. Confirm last tabletop after-action report.

    Evidence to collect: Ransomware playbook with version + owner Decision authority matrix (isolation, payment, comms) Latest tabletop after-action report Action tracker with completion status

  11. Are out-of-band communications (e.g. Signal, separate phones) pre-arranged in case email and chat are encrypted?

    Medium

    Are out-of-band communications (e.g. Signal, separate phones) pre-arranged in case email and chat are encrypted?

    How to test + evidence

    Risk: Email is encrypted in many ransomware events. Pre-arranged OOB is the difference between coordinated response and chaos.

    Testing procedure: Inspect the OOB comms setup (Signal group, alt phones, separate cloud mail). Verify roster is current.

    Evidence to collect: Out-of-band channel screenshot or membership Responder roster with up-to-date contacts Tabletop minutes showing OOB used

  12. Do you have a retainer or pre-agreed contract with an incident response firm?

    Medium

    Do you have a retainer or pre-agreed contract with an incident response firm?

    How to test + evidence

    Risk: IR firms are saturated during major incidents. A retainer guarantees response; cold-calling at 2am does not.

    Testing procedure: Inspect retainer contract + tested escalation. Confirm 24/7 number + named partner contact.

    Evidence to collect: IR retainer contract (current) Escalation runbook with phone numbers Test call log showing tested escalation

  13. Do you carry cyber insurance with ransomware coverage?

    Medium

    Do you carry cyber insurance with ransomware coverage?

    How to test + evidence

    Risk: Insurance won't prevent ransomware but funds response. Coverage gaps + missed required controls void payouts when you need them most.

    Testing procedure: Inspect cyber insurance policy + most recent renewal. Verify ransomware coverage, sub-limits, exclusions, and required controls (e.g. MFA on remote access).

    Evidence to collect: Insurance policy schedule with ransomware coverage Sub-limits per category Insurer questionnaire + your responses Required controls per insurer documented as met

  14. Have you pre-identified legal counsel and PR support for a ransomware incident (notification obligations, regulator engagement, customer comms)?

    Medium

    Have you pre-identified legal counsel and PR support for a ransomware incident (notification obligations, regulator engagement, customer comms)?

    How to test + evidence

    Risk: Specialist breach counsel + PR makes communications defensible and stops legal/regulatory damage compounding the technical incident.

    Testing procedure: Inspect engagement agreements with breach counsel + PR firm. Verify they are current and contact details accessible OOB.

    Evidence to collect: Breach counsel engagement letter PR firm contract / preferred-vendor agreement Contact details stored in OOB channel Tabletop showing legal + PR engaged

  15. Are backups isolated from the production network (offline / immutable / separate cloud account)?

    Medium

    Are backups isolated from the production network (offline / immutable / separate cloud account)?

    How to test + evidence

    Risk: Ransomware operators specifically hunt and destroy backups. Immutable + air-gapped means they can't.

    Testing procedure: Inspect backup architecture. Verify immutability (object lock or equivalent), separation from production credentials, and physical/logical air-gap where applicable.

    Evidence to collect: Backup architecture diagram Configuration showing immutability flag Separate cloud account / credential boundary Last attempt by an attacker to delete backups (red team or tabletop)

  16. When did you last test a full restore from backup (not just a file)?

    Medium

    When did you last test a full restore from backup (not just a file)?

    How to test + evidence

    Risk: A backup that has never been restored is faith, not a control. Quarterly tests catch tooling regressions before a real incident.

    Testing procedure: Inspect restore test reports. Verify scope (full system, not just a file), date, success rate, and time-to-restore against RTO.

    Evidence to collect: Last 4 restore test reports RTO commitments per critical system Actual time-to-restore vs RTO Lessons learned + plan updates

  17. Do you know your recovery time objective (RTO) for critical systems and have you validated you can meet it?

    Medium

    Do you know your recovery time objective (RTO) for critical systems and have you validated you can meet it?

    How to test + evidence

    Risk: RTO without testing is wishful thinking. Auditors specifically ask for proof you can hit it.

    Testing procedure: Inspect business impact analysis for RTO/RPO commitments. Verify the most recent test demonstrated meeting them.

    Evidence to collect: BIA with RTO/RPO per critical system Test report meeting / missing RTO Updated plans where RTO was missed

  18. Do you know what your most critical data and systems are, so you can prioritise restoration?

    Medium

    Do you know what your most critical data and systems are, so you can prioritise restoration?

    How to test + evidence

    Risk: Without a priority list, recovery wastes resources on the wrong things. The list must be made before the incident.

    Testing procedure: Inspect the asset register + criticality scoring. Verify dependencies are mapped (App A needs DB B needs Network C).

    Evidence to collect: Asset register with criticality Dependency map for top-10 systems Restoration sequence document

  19. Is your network segmented so a compromise can be contained (admin tier, server tier, user tier, OT/IoT)?

    Medium

    Is your network segmented so a compromise can be contained (admin tier, server tier, user tier, OT/IoT)?

    How to test + evidence

    Risk: Flat networks let ransomware spread organisation-wide in hours. Segmentation buys containment time.

    Testing procedure: Inspect network architecture diagram + firewall rule sets. Test east-west blocking with sample traffic between tiers.

    Evidence to collect: Network architecture diagram Firewall rule sets between tiers East-west traffic policy + test results Microsegmentation policy if applicable

  20. When did you last run a ransomware tabletop exercise with the executive team?

    Medium

    When did you last run a ransomware tabletop exercise with the executive team?

    How to test + evidence

    Risk: Tabletops surface decision-making gaps that no document review can. The exec team needs to make the hard calls before the live event.

    Testing procedure: Inspect the most recent tabletop after-action report. Verify executive participation, realistic scenario, and tracked actions.

    Evidence to collect: Tabletop after-action report Attendance list including executives Scenario brief used Action tracker with completion status