Are people in the organization assigned to specific cyber security roles and responsibilities?

Is the status of the Information Security program reported to the Board of Directors on at least an annual basis?

Does the budgeting process include information security related expenses and tools?

Does the organization maintain an inventory of organizational assets? (e.g., hardware, software, data, and systems hosted internally)

Does the organization prioritize assets based on criticality or value to the business?

Is someone in the organization assigned accountability to maintain the inventory of organizational assets?

Does the organization have a formal change management process to request and approved changes to systems?

Has the organization ever conducted a risk assessment of its information technology?

Does the risk assessment identify high-risk assets that require additional security controls?

Is the risk assessment updated at least annually or when major changes occur?

Are all users required to complete annual security awareness training?

Does the annual information security training includes incident response, current cyber threats (e.g., phishing, spear phishing, social engineering, and mobile security), and emerging issues?

Do you conduct phishing testing of your users at least quarterly?

Does management hold employees accountable for complying with the information security program?

Do you subscribe to any industry commercial or public threat intelligence or cyber threat feeds?

Is Threat Intelligence information used to monitor for threats and vulnerabilities in the environment?

Do you use threat intelligence information to enhance your risk management or your cyber security controls?

Do you centrally collect and store logs via a SIEM or Log Management platform?

Do you leverage logs for threat detection (alerting, correlation, IoC sweeps, threat hunting, etc.)?

Do you have a Detection and Response process that ensures someone investigates, assesses, and documents each alert?

Does monitoring occur on a 24/7/365 basis to review all events?

Do you have network perimeter defense tools in place at all Internet access points?

Do you deploy system hardening standards on all servers, desktops and network infrastructure to protect how system are secured?

Do you control which users are allowed to make system configuration changes?

Do you require all wireless networks to have strong encryption and authentication settings?

Do you review/audit your firewall configurations at least annually?

Is multi-factor authentication (MFA) enabled for all critical business functions (i.e. remote access, admin access, email, etc.)?

Do you perform internal vulnerability scans monthly?

Do you perform external vulnerability scans weekly?

Do you perform an annual internal and external penetration test?

Do you have end point protection(EPP) or end point detection and response (EDR) on all endpoints in the organization?

Do you use any form of phishing protection (enterprise email security, sandboxing, email tagging, etc.)?

Are you able to monitor user activity to determine the presence of malicious user activity or insider threats?

Do you monitor the use of privileged user (admin) accounts for potential abuse?

Do you have a process to baseline normal system and network activity on your network?

Do you have escalation procedures in place to alert internal stakeholders of potential attacks/threats from monitoring?

Do you have processes to detect unauthorized or rogue devices on the network?

Do you have a formal patch management program?

Are patches tested before being applied to systems?

A process is in place to review patch management reports for missing patches?

Do you have a formal third-party risk assessment process?

Does your have a third-party risk process require you to perform due diligence on prospective third parties prior to contracts being signed?

Does your third-party risk process require you to maintain a list of all your third-party service providers?

Does your third-party risk process require you to perform a risk analysis of your third-party vendors based on risk?

Do you have a documented incident response plan?

Are employees trained on the proper communication channels to report an incident in a timely manner?

Are Roles and Responsibilities for incident response team members defined in a plan?

Do you have a Cyber Insurance Policy in place?

Does a formal backup and recovery plan exist for all critical business lines?

Is your incident response plan tested annually?

Does your incident response testing include third parties like your SOC provider or Incident Response firms?

Do you routinely check the viability of the backups you have?

Do you have procedures for containing incidents to prevent further damage from an incident?

Do you have a business resumption process that details ways in restore operations?