SAF Search

This domain covers how your security governance is designed, implemented, and maintained.

This domain covers how your organisation maintains compliance with key security certifications.

This domain covers the security controls you have implemented to mitigate security risk from your employees.

This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.

This domain covers the security controls you have implemented during the development of your IT applications.

This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.

This domain covers the physical security controls you have implemented to protect your organisation's physical premises.

This domain covers the processes and plans you have in place to ensure a quick recovery if a failure occurs.

This domain covers the processes and controls you have in place to ensure the security risk from your supply chain is mitigated.

This domain covers compliance with data protection legislation.

This domain covers use of Artificial Intelligence (AI) in your organisation and what you have done to prevent, identify, and respond to evidence of risk.

Financial Controls to prevent, identify, and respond to evidence of financial crime are also included in Risk Ledger's Supplier Assessment Framework. This includes checks for compliance with relevant Anti-Money Laundering (AML) regulations, applicable Anti-Bribery and Corruption (AB&C) legislation, fraud prevention and sanctions.

This add-on domain covers how your organisation manages and governs its environmental and social impact.

This add-on domain is specific to suppliers working with the UK government. Please reach out to support@riskledger.com if you need help with this domain.

Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, add the date of your last review to the notes.

Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Confirm the role and its responsibilities in the notes or upload a job role description as evidence.

Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Upload the Information Security Policy as evidence.

Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Upload the Mobile Device Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Provide the Remote Working Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Upload the Acceptable Use Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Upload the Information Classification Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Upload the Access Control Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Upload the Cloud Services Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Upload the Password Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes. Also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.

Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Upload the Backup Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Upload the Clear Desk and Screen Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.

Answer yes if your organisation subjects the use of removable media to compensatory controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, state the nature of these controls within the notes.

Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).

Answer yes if all of your organisation's security policies are reviewed and approved by senior management.

Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Upload the documented roles as evidence.

Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).

Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).

Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Provide information on the frequency of the audits in the notes.

Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.

Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Upload a template NDA or confidentiality agreement as evidence.

Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.

Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.

Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, describe how you collect, analyse and use threat intelligence within your organisation, or upload a document as supporting evidence.

Answer yes if your organisation is certified to the first level Cyber Essentials scheme. Upload your Cyber Essentials certificate as evidence.

Answer yes if your organisation has been certified to the Cyber Essentials Plus scheme by a relevant certification body. Upload your Cyber Essentials Plus certificate as evidence.

Answer yes if your organisation has a current, valid ISO 27001 certification. Upload your ISO 27001 certificate and Statement of Scope as evidence and copy the certificate scope statement into the notes section. If appropriate, also upload your Statement of Applicability. State your accreditation body in the notes section.

Answer yes if your organisation is aligned with the NIST Cybersecurity Framework.

Answer yes if your organisation is compliant with the PCI DSS security standard. If you have answered no, please state whether or not you process, store or transmit payment card data. If you have certified against the standard, please provide your certificate.

Answer yes if you have a defined process for monitoring the PCI DSS compliance status of any relevant TPSPs. For applicable TPSPs, provide their AoC.

Answer yes if background checks are conducted against staff before they join your organisation. In the notes section, please outline the types of checks (e.g. employer reference, criminal records, BPSS, CTC, SC, DV) conducted for which roles or provide a supporting document (as a PDF file) as evidence.

Answer yes if your organisation has a formal disciplinary process that is followed if an employee is found to have intentionally breached company policy. Upload a document outlining the process as evidence (this may be covered by your organisation's Disciplinary Policy).

Answer yes if your organisation keeps an up-to-date inventory of all hardware and software assets within your IT estate, including cloud services. The inventory must list an owner against each asset. It should also list other details about the assets such as version numbers, business usage & location. Include details in the notes.

Answer yes if your organisation has a formal process that ensures all access to your organisation's systems & information (this includes, but is not limited to corporate endpoints, networks, offices and third party services) is removed when employees, contractors and third party users leave the organisation and is updated when they change roles. Describe these processes within the notes and/or upload any relevant evidence.

Answer yes if your organisation has systems and/or processes in place to help ensure privileged accounts are only used for the intended purposes, in a secure way. This could include the use of administration proxies (jump boxes or bastion hosts), Privileged Access Workstations (PAWs), temporary credentials, additional approval processes, or ensuring privileged accounts are not used for normal business activities, such as email or web-browsing. Describe your PAM controls in the notes section or upload a supporting document as evidence.

Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Describe how your secure configuration process is performed, including both automated and manual checks. Upload any relevant documentation as evidence.

Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.

Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems, including desktop PCs, laptops & mobile devices. This could be done through the use of app whitelisting, restricting user installation rights, device management software etc. Describe the nature of the controls in the notes.

Answer yes if your organisation can demonstrate the composition and provenance of the software it develops, including any third-party or open-source components. Upload supporting evidence such as, but not limited to: a software inventory, dependency lists, or a software bill of materials (SBOM).

Answer yes if your organisation has processes or tools in place to regularly monitor software components for newly disclosed vulnerabilities throughout the software lifecycle. This includes identifying relevant vulnerabilities, understanding the potential impact to you, and assessing any necessary actions.

Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic including APIs and SFTP for file transfers). Describe the nature of these controls in the notes section, both technical and procedural.

Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Describe your process(es) in the notes section.

Answer yes if your organisation has registered with NCSC's Early Warning Service to receive notifications of potential threats to your network.

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the requirements of the relevant data protection regulations (e.g. GDPR, Australian Privacy Act, US State Law).

Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Provide details of your current process. The Risk Ledger platform can make this easier for you - get in touch!

Answer yes if your organisation has a nominated Data Protection Officer (DPO) who undertakes regular compliance checks and leads on continual privacy improvement. Describe in the notes section details about how your DPO monitors compliance with relevant data protection obligations.

Answer yes if your organisation has a Data Protection Policy that has been reviewed in the last year. Upload your Data Protection Policy as evidence.

Answer yes if you document your personal data processing activities. This could be through data flow diagrams or written documentation and should include details of collection, purpose, storage, access, use, sharing, and retention. Describe how you do this in the notes.

Answer yes if your organisation conducts a Data Protection Impact Assessment (DPIA) for all processing of personal data that is likely to result in a high risk to individuals. To find out more about Data Protection Impact Assessments, see the Risk Ledger Knowledgebase.

Answer yes if organisation has robust detection, investigation and reporting procedures in place for all personal data breaches. This should include assessing the likely risk to individuals as a result of the breach, informing affected individuals without undue delay, and documenting the facts surrounding personal data breaches in a Breach Log. Provide details about your processes surrounding a personal data breach in the notes section, including uploading any relevant documentation.

Answer yes if your organisation has a documented process for notifying the relevant Authority for your jurisdiction and all data controllers or other relevant parties when it becomes aware of a security breach involving Personal Data.

Answer yes if your organisation processes personal data on behalf of another organisation where they are the data controller and you are the data processor.

Answer yes if you have ways to ensure that new sub-processors are authorised by or communicated to the data controller before the new sub-processing takes place. Upload evidence or describe how this is ensured in the notes.

Answer yes if you have processes or policies which ensure data is only processed in the way in which your data controller has requested, and you have written instructions from the controller describing this. Describe in the notes how you obtain these instructions from data controllers and how you ensure data is not processed in any way outside of the documented written instructions.

Answer yes if any client data is used to train your AI model, or external AI models used to provide supplier services. Describe which client data may be used to train AI models and how this is communicated to those clients.

Answer yes if your organisation has a formal change management process that includes a step to assess any security or legal compliance risks that the change may impact, requires a rollback plan, and includes processes for notifying relevant clients of the changes and any consequential processing differences. Change management can apply if either the AI model is updated, or the data applied to the model is changed (e.g. the model is applied to support new services processing different client data). Upload a copy of your AI change management process, or describe the process in the notes section.

Answer yes if your organisation evaluates the effects of changes of the underlying AI Model, whether that model is created and maintained by you or is adopted and applied from an external source (e.g. Amazon Bedrock AI as a Service). Change impacts can include changes in output accuracy or bias and the potential need to reprocess historic data for analysis consistency. Describe how you evaluate the effects of these changes or upload supporting documentation.

Answer yes if your organisation has obtained any certifications or any external audit reports which cover any environmental, social or governance issues. Please state the certification or report in the notes and please upload a PDF of the relevant certification or report as evidence.

Answer yes if your organisation publicly shares information and metrics about your environmental and social impact. Please upload a copy of the latest report as evidence or provide a link to it.

Please enter the most recent measurement for your scope 1 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 1 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Please enter the most recent measurement for your scope 2 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 2 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Please enter the most recent measurement for your scope 3 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 3 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Answer yes if your organisation has a mechanism in place (backed up by a written policy document with a defined process) that allows employees and contractors to address grievances relating to their employment. Please upload the policy document (as a PDF file) as evidence.