Is there a strong level of security governance established within the organisation?

Are senior leaders supportive of security objectives?

Is there a strategy, budget and delivery plan in place for security improvements?

Does the organisation possess security accreditations?

If not, why not?

What certifications exist?  E.g. Cyber Essentials, ISO 27001?

How has the organisation aligned compliance with GDPR and other legislation?

Is there a specific policy on HR security?

Is there a Starters, Movers and Leavers procedure?

Are referencing and criminal records checks undertaken?

Do HR set roles with IT for least privileged access?

Is there Cyber and Information Security Awareness Training in place for all staff?

Is there Data Protection Awareness Training in place for all staff?

Is this training available to new starters on induction?

Do staff have to complete annual refresher training?

Is there a formal risk management process in place?

Is this aligned to information assets?

Is there evidence of active risk management?

How are risks identified and evaluated?

Are senior leaders supporting risk management activities?

Are threats monitored?

If so, how are they monitored?

Is there perimeter threat monitoring?

Are threats monitored on the endpoints?

Is there a centralised approach to threat monitoring?

Are response plans in place?

Are there skilled and experienced resources available to evaluate threats and respond accordingly?

Is there a documented Incident Response Plan?

Is the Incident Manager identified and appropriately trained?

Are there supporting services in place to support incidents?

Are incidents being reported and logged appropriately?

Is there a documented Access Control Policy?

How is access controlled?

What secure methods are adopted?

How is least privilege applied?

Is access based upon an RBAC model?

What is the level of adoption of enterprise cloud infrastructure?

How is this applied to core business systems?

Is there an internal network?

How is security managed in the cloud?

Who supports internal infrastructure?

How does the organisation assess where it may be vulnerable?

Are regular pen tests undertaken?

Are there automated tests being done on a regular basis?

What is the approach to patching?

Is there a SIEM in place?

Are all critical systems connected?

Is there a Security Operations Centre (SOC)?

If not, why not?

Is there a full set of policies and procedures that relate to security management and other regulatory compliance?

What’s missing and why?

Is the organisation GDPR compliant?

Is there a ROPA in place?

Has the organisation undertaken ISO 27701 certification?

How does the organisation align to the core data protection principles?

What is the use of email?

Which email provider is used?

Are inboxes managed, e.g. data retention?

What security is applied to email access e.g. MFA?

Is there Phishing Training in place?

Is there access to email encryption technology?

Is Data Loss Prevention applied to emails?

Are devices centrally managed e.g. via InTune?

Are devices encrypted?

Are devices configured with 2FA for access?

Is there a BYOD policy?

Are back-ups centrally managed?

How often is critical data and system configurations backed up?

Is the Recovery Point Objective (RPO) for critical data known?

Is the Recovery Time Objective (RTO) for critical systems known?

Has there been recent tests of restoration from back-ups?

Are back-ups in the cloud?

Are back-ups encrypted?

Are there any security due-diligence checks on third-party suppliers?

Is there a supplier security policy?

What is the approach to supplier security in procurement scenarios?

How is the organisation prepared for containing incidents e.g. a data breach?

Are there forensic tools available to assess an incident and establish a root cause?

How is the organisation prepared for recovery?  Are there the right level of plans in place (e.g. Business Continuity and Disaster Recovery)?