Do you understand your regulatory, contractual, and stakeholder expectations regarding cybersecurity risk management?

Does your organization have mechanisms in place to set priorities, constraints, risk tolerance, and assumptions, and communicates them to support decisions?

Are you cybersecurity roles and responsibilities clearly defined and communicated?

Do you have documented cybersecurity policies and directives? Are they shared and enforced?

Do you have mechanisms in place to collect and measure results of your cybersecurity activities? Do you use the information to improve performance and adjust the risk management strategy?

Do you know where all your asset are? Are they sufficiently protected, based on their importance to your business objectives?

Do you understand the cybersecurity risks faced by your business? Is that also the case for where your business is heading?

Are you getting better at managing cybersecurity over time?

Need to improve account management (separation of duties, least privilege) or onboarding and off-boarding procedures?

Does your staff understand the risks facing your organization? Do they understand how to handle potential threats?

Do you have mechanisms in place to ensure your data’s confidentiality, integrity, and availability?

Are your assets (hardware, software, services) managed consistently? Do you track maintenance and management activities?

Are you monitoring your assets for anomalies, indicators of compromise, and threats?

Do you have the expertise and capabilities to benefit from threat intelligence to improve detection?

Are you prepared to respond to security incidents?

Need help understanding the root cause of incidents?

Have you established a communication plan involving internal and external stakeholders?

Does your team know how to recover and rebuild systems following a cybersecurity incident?

Do you know everyone that needs to be involved to restore your data, systems, and services?