This domain covers how your security governance is designed, implemented, and maintained.

Security Risks

This domain covers how your organisation maintains compliance with key security certifications.

Security Risks

This domain covers the security controls you have implemented to mitigate security risk from your employees.

Security Risks

This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.

Security Risks

This domain covers the security controls you have implemented during the development of your IT applications.

Security Risks

This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.

Security Risks

This domain covers the physical security controls you have implemented to protect your organisation's physical premises.

Security Risks

This domain covers the processes and plans you have in place to ensure a quick recovery if a failure occurs.

Security Risks

This domain covers the processes and controls you have in place to ensure the security risk from your supply chain is mitigated.

Security Risks

This domain covers compliance with data protection legislation.

Security Risks

This domain covers use of Artificial Intelligence (AI) in your organisation and what you have done to prevent, identify, and respond to evidence of risk.

Security Risks

This domain covers financial risk in your organisation and what you have done to prevent, identify, and respond to evidence of financial risk.

Financial Risk

This domain covers how your organisation manages and governs its environmental and social impact.

Environmental, Social and Governance

Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, please add the date of your last review to the notes.

Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Please confirm the role and its responsibilities in the notes or provide a job role description (as a PDF file) as evidence.

Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Please provide the Information Security Policy (as a PDF file) as evidence.

Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Please provide the Mobile Device Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Please provide the Remote Working Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Please provide the Acceptable Use Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Please provide the Information Classification Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Please provide the Access Control Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Please provide the Cloud Services Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Please provide the Password Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes. Please also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.

Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Please provide the Backup Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Please provide the Clear Desk and Screen Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.

Answer yes if your organisation subjects the use of removable media to technical controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, please describe the nature of these controls within the notes.

Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).

Answer yes if all of your organisation's security policies are reviewed and approved by senior management.

Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Please provide the documented roles (as a PDF file) as evidence.

Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).

Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).

Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Please comment on the frequency of the audits in the notes.

Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.

Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Please provide a template NDA (as a PDF file) as evidence.

Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Please give an example of such segregation in the notes.

Answer yes if your organisation has a defined process for terminating a client contract and removing all relevant client data securely. Please describe the process in the notes or provide a supporting document (as a PDF file) as evidence.

Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, please describe how you collect, analyse and use threat intelligence within your organisation, or upload a document (as a PDF file) as supporting evidence.

Answer yes if your organisation has been certified to an information security standard (such as PCI DSS, Cyber Essentials or ISO27001) or has completed an information security audit such as a SOC2.

Answer yes if your organisation is certified to the first level Cyber Essentials scheme. Please provide your Cyber Essentials certificate as evidence.

Answer yes if your organisation has been certified to the Cyber Essentials Plus scheme by a relevant certification body. Please provide your Cyber Essentials Plus certificate as evidence.

Answer yes if your organisation has a current, valid ISO27001 certification. Please provide your ISO27001 certificate and Statement of Scope as evidence (as a PDF file) and copy the certificate scope statement into the notes section.

Answer yes if your organisation is aligned with the NIST Cybersecurity Framework.

Answer yes if your organisation is compliant with the PCI DSS security standard. If you have certified against the standard, please provide your certificate.

Answer yes if background checks are conducted against staff before they join your organisation. In the notes section, please outline the types of checks (e.g. employer reference, criminal records, BPSS, CTC, SC, DV) conducted for which roles or provide a supporting document (as a PDF file) as evidence.

Answer yes if your organisation's employment contracts include a clause in which the employee must consent to abiding by all of your organisation's security policies. Please provide a template contract (as a PDF file) as evidence or copy the clause into the notes section.

Answer yes if your organisation runs an information security and data protection training programme for all of your employees. Please outline the nature and frequency of the training programme in the notes section, including any additional training provided to staff with greater responsibility or more privileged system access.

Answer yes if your organisation has a formal disciplinary process that is followed if an employee is found to have intentionally breached company policy. Please provide a document outlining the process (as a PDF file) as evidence (this may be covered by your organisation's Disciplinary Policy).

Answer yes if your organisation has a process in place to source additional staff if one of your organisation's employees is not available for an extended period of time. Please outline the process in the notes section.

Answer yes if your organisation keeps an up-to-date inventory of all hardware and software assets within your IT estate, including cloud services. The inventory must list an owner against each asset. It should also list other details about the assets such as version numbers, business usage & location. Please include details in the notes.

Answer yes if your organisation keeps an up-to-date inventory of all data repositories within your IT estate, including any hosted within cloud services. The inventory must list an owner against each asset.

Answer yes if your organisation has a formal process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).

Answer yes if your organisation has a formal process that ensures all access to your organisation's systems & information (this includes, but is not limited to corporate endpoints, networks, offices and third party services) is removed when employees, contractors and third party users leave the organisation and is updated when they change roles. Please describe these processes within the notes and/or upload any relevant evidence.

Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence. If any generic or shared accounts are used, please specify what these are used for and any processes you have in place to minimise their usage.

Answer yes if your organisation enforces multi-factor authentication on all public facing services that it uses (this includes third party web based services).

Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.

Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. This should include audit of any shared or generic accounts. Please outline the audit process in the notes section or provide a supporting document (as a PDF file) as evidence.

Please state the number of times access audits are completed for users each year.

Please state the number of times access audits are completed for users each year.

Answer yes if your organisation has systems and/or processes in place to help ensure privileged accounts are only used for the intended purposes, in a secure way. This could include the use of administration proxies (jump boxes or bastion hosts), Privileged Access Workstations (PAWs), temporary credentials, additional approval processes, or ensuring privileged accounts are not used for normal business activities, such as email or web-browsing. Please describe your PAM controls in the notes section or provide a supporting document (as a PDF file) as evidence.

Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to re-authenticate.

Please state how long a user must be inactive for (in minutes) before the systems lock. If times vary between systems, please put the highest value and state the others in the notes.

Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.

Answer yes if your organisation has disabled auto-run on all of its IT systems. Autorun is a feature on Windows’ operating systems that automatically executes code present on external devices when they are plugged into a PC.

Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.

Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Please describe how your secure configuration process is performed, including both automated and manual checks. Please upload any relevant documentation (as a PDF file) as evidence.

Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.

Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.

Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates and are configured to scan files regularly (at least daily). Please provide details of your malware protection solutions in the notes section.

Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of application whitelisting on servers). Please describe the nature of the controls in the notes.

Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems, including desktop PCs, laptops & mobile devices. This could be done through the use of application whitelisting, restricting user installation rights, device management software etc. Please describe the nature of the controls in the notes.

Answer yes if your organisation allows the use of laptop devices for work purposes. In the notes, please describe whether these are typically company owned or personal devices.

Answer yes if your organisation enforces hard drive encryption on all laptop devices. In the notes, please include details of the encryption algorithm(s) used and how this is enforced.

Answer yes if your organisation has a process and technical solution that allows any lost or compromised laptop device to be remotely wiped.

Answer yes if your organisation allows access to company data or services (e.g. email) through mobile devices. In the notes, please briefly describe the nature of the data / services accessible and whether the mobile devices are company owned or employee personal devices.

Answer yes if your organisation requires technical enforcement of security controls on mobile phones and tablets before access to company data or services is granted. For example, this could be done through the use of MDM (Mobile Device Management) software. In the notes, please describe the nature of the controls, the method of enforcement and any related processes.

Answer yes if your organisation has a process and technical solution that allows any lost or compromised mobile phone or tablet to be remotely wiped.

Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.

Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance. Please describe your patch management processes in the notes section including how you ensure all systems are in scope, or upload supporting documents (as PDF files).

Answer yes if your organisation uses any applications or systems for which the vendors do not provide regular security updates. In the notes, please describe how you discover & manage these systems, including any compensatory controls you have in place to protect them and any plans for decommissioning or replacement.

Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Please provide a document outlining the process (as a PDF file) as evidence or describe the process in the notes section.

Answer yes if your organisation takes regular backups of its production data that cannot be altered, deleted or tampered with for a specified time period. Backups must be taken in line with best practice guidelines, for example by following the '3-2-1' rule and segregating the backups from your main environment. Please describe your backup processes including segregation, frequency, and any other controls in place.

Answer yes if your organisation encrypts the backups to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.

Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. Please state the frequency of the tests in the notes section.

Answer yes if your organisation uses opportunistic TLS by default and has the capability to configure enforced TLS on email services to specific domains if requested.

Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. Please state in the notes the type of DMARC policy set.

Answer yes if your organisation has any form of Data Loss Prevention (DLP) controls in place to ensure only authorised data is transferred outside of your organisation. In the notes, please describe the controls you have in place and how these are managed.

Answer yes if your organisation develops or programs any applications or systems.

Answer yes if your organisation controls access to its application source code. This is typically done by using a code repository with robust access controls implemented, including maintaining an audit log of all access.

Answer yes if your organisation has implemented a secure SDLC (Software Development Lifecycle) that includes a security risk assessment. Please describe your SDLC process in the notes, highlighting any security input, or provide a supporting document (as a PDF) as evidence.

Answer yes if your organisation's developers are instructed to build applications and systems using defined security best practice (for example, as defined by OWASP, The Open Web Application Security Project). Please state in the notes the best practise guidance followed and if your developers receive any additional security training.

Answer yes if your organisation ensures that all of its applications have data validation implemented on their data inputs and outputs.

Answer yes if your organisation conducts threat modelling when designing each application or system. Please state in the notes how threat modelling is integrated into your SDLC or provide a supporting document (for example, a template threat modelling report as a PDF file) as evidence.

Answer yes if your organisation ensures that all of its applications and systems (that are developed/built in-house) use industry best practice for authentication, and that all passwords are stored as hashes using secure hashing algorithms rather than as plain text.

Answer yes if your organisation performs security testing of all applications & systems during the build process. Please describe the security testing performed which could include, but is not limited to Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Infrastructure security testing.

Answer yes if your organisation uses segregated environments for the development of applications, the testing of applications, and the hosting of production systems that handle live data. Please state in the notes the nature of the segregation (logical/physical).

Answer yes if your organisation has made it policy to only use test data (rather than live production data) that contains no personal data when testing its IT systems. If not, please state the reason why and whether or not you have any other mitigating controls in place.

Answer yes if your organisation produces or receives regular security updates for any applications it develops and hosts, and that it ensures all applications procured from vendors are also supported with regular security patches.

Answer yes if your organisation conducts regular penetration tests of any applications or systems that it develops and remediates the findings. Please state how often penetration tests take place in the notes section.

Answer yes if your organisation ensures that any applications or systems developed have appropriate logging mechanisms implemented (for example, as defined by OWASP, the Open Web Application Security Project).

Answer Yes to this question if:Your organisation maintains (or is responsible for maintaining) a physical or cloud-hosted network that allows user devices to connect and communicate with any data storage or processing services;Your organisation maintains any physical or cloud-hosted application or service delivery infrastructure;Your organisation uses a public cloud to host applications or services where you are responsible for implementing security controls within that environment, guided by the host’s shared security responsibility model (e.g. AWS, GCP and Azure)

Answer yes if your organisation has secured all of the ingress and egress points of its corporate network and IT environments (cloud-based or otherwise) with firewalls - whether as discrete appliances or as cloud-hosted network security service functions.

Answer yes if the firewalls were implemented with a 'deny all' policy, and each rule was only added when a business requirement was identified, documented and approved by an authorised individual.

Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.

Answer yes if all web applications hosted by your organisation are protected with WAFs (web application firewalls) - whether as discrete appliances or as cloud-hosted network security service functions. If your organisation does not host any web applications, answer 'No' and state this in the notes section.

Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.

Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.

Answer yes if your organisation has appropriately segregated its network or cloud environments to restrict the level of access to sensitive information, hosts, and services. Examples include segregation of production systems from systems being commissioned or decommissioned and systems under test; segregation of systems with different security levels (e.g. those processing sensitive personal data or financial data are segregated from other business systems) and segregation or segmentation of services used by different subsidiary organisations.

Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).

Answer yes if your organisation has implemented controls to protect its services against DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Please describe the nature of these controls in the notes section.

Answer yes if your organisation forces all remote connections to its network infrastructure or cloud environment to be secured with a suitable solution such as a VPN or SSH connection.

Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic including APIs and SFTP for file transfers). Please describe the nature of these controls in the notes section, both technical and procedural.

Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.

Answer yes if your organisation forces all remote connections to its network or cloud environment to be secured using two factor authentication.

Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.

Is each of the approved network connections subject to a risk assessment?

Answer yes if your organisation undertakes a regular review of network connections (e.g. annually) in which it removes any redundant connections and makes sure that all of the connections are relevant to its business operations.

Answer yes if your organisation conducts regular external automated vulnerability scans of its public IP infrastructure and remediates the findings.

Please state the number of automated scans completed every year.

Answer yes if your organisation conducts regular automated vulnerability scans of its internal IP infrastructure and remediates the findings. This may include scanning assets in a private local network or using a cloud service provider’s tools to scan for vulnerabilities in your cloud infrastructure.

Please state the number of automated scans completed every year.

Answer yes if your organisation conducts regular penetration tests of your public facing IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.

Answer yes if your organisation conducts regular penetration tests of your internal IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. The test should assume that perimeter controls have been compromised, for example that a legitimate internal user’s credentials have been stolen and re-used. The test should assess a threat actor’s ability to reach assets and information, including opportunities to elevate privileges to gain access. The results of the tests can inform improvements to IT systems and infrastructure, for example improved subnet segregation and role access privileges and controls. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.

Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Please give details of your process(es) in the notes section.

Answer yes if your organisation has implemented any network or cloud monitoring solutions (either in house or via a third party service provider). Please describe which solutions you have in place and the coverage they have over your network(s) or cloud environment(s).

Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Please describe your processes for different types of security logs and events in the notes section.

Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Please describe the controls in the notes section.

Answer yes if your organisation records and stores user activity logs for its IT production systems, network devices and endpoint devices.

Answer by stating how many months the logs are kept for.

Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.

Please state how many months the logs are kept for.

Answer yes if your organisation stores all recorded logs on dedicated servers that are logically separate from your production systems, and hardened.

Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of business critical applications to their target managed environment (cloud or on-prem) to ensure there are no adverse impacts on operations or the security of your IT estate. Please describe the nature of the testing process in the notes or provide a supporting document (as a PDF file) as evidence.

Answer yes if your organisation uses any physical premises in order to provide your services, products or to run your operations. This could include, but is not limited to, office space, warehouses, or data centres. It includes data centres used to host cloud services provided by your organisation, even if you do not have direct control of those premises. It also includes office space used by your people, even if you are a cloud-first organisation.

Answer yes if your organisation has implemented a secure physical perimeter around all of its physical locations. Please provide a Physical Security Policy document (as a PDF file) as evidence or reference a section of a previously provided security policy in the notes.

Answer yes if your organisation uses CCTV cameras on all of its premises entry and exit points.

Please state the number of days that the CCTV footage is kept for. If different retention times are used depending on the CCTV system, please state the different retention times in the notes and enter the lowest retention time in the answer box.

Answer yes if your organisation uses an access control system to control the movement of people in and out of its physical premises, and if this system keeps a digital log of access.

Please state the number of months that the access logs are kept for. If different retention times are used depending on the access control system, please state the different retention times in the notes and enter the lowest retention time in the answer box.

Answer yes if all of your organisation's physical premises are secured with an alarm that once triggered, is investigated either by a private security team or the police.

Answer yes if all of your organisation's physical premises are staffed 24/7 by an onsite security team, reception team, or both. If security is present for some hours (not 24/7), please answer no and state in the notes section the times during which the premises are manned.

Answer yes if your organisation uses a physical or digital system to record the arrival of visitors, and the time at which they leave the premises.

Answer yes if your organisation requires all visitors to undergo an ID check on arrival to ensure that they are the person that they claim to be.

Answer yes if your organisation uses controls (such as Uninterruptible Power Supplies, UPS) to protect sensitive equipment from power failures.

Answer yes if your organisation disposes of all confidential paper waste in a secure manner (typically either by shredding or incineration), or if a third party is used to dispose of the waste securely.

Answer yes if your organisation has a documented Incident Response Plan that has been reviewed in the last year. Please provide the Incident Response Plan (as a PDF file) as evidence.

Answer yes if your organisation's Incident Response Plan contains a section for classifying information security events. Please reference the section of any previously provided plan in the notes.

Answer yes if your organisation's Incident Response Plan contains an assessment of impact to legal and regulatory compliance. Please reference the section of any previously provided plan in the notes.

Answer yes if your organisation's Incident Response Plan contains a section defining roles and responsibilities in an information security event. Please reference the section of any previously provided plan in the notes.

Answer yes if your organisation's Incident Response Plan contains a section for alternative communication methods. Please reference the section of any previously provided plan in the notes.

Answer yes if your organisation has a cyber incident response capability that it can call upon in the event of an incident. This can be an in-house capability or provided by a third party or cyber insurance provider.

Answer yes if your organisation has a documented process for reporting information security incidents, or suspected information security incidents (this is typically via an IT helpdesk). Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.

Answer yes if your organisation has a documented process for reporting information security breaches to all affected clients within 72 hours of the breach being discovered. Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.

Answer yes if your organisation completed a root cause analysis for all security incidents that are reported, and implements any lessons learnt after each analysis has been completed. Please provide a template root cause analysis document (as a PDF file) as evidence.

Answer yes if your organisation has a documented business continuity plan that has been reviewed and approved by senior management in the last year. Please provide the Business Continuity Plan (as a PDF file) as evidence.

Answer yes if your organisation has assessed the potential business-disruptive risks and used this assessment to inform your Business Continuity Plan. This process may involve conducting a Business Impact Analysis (BIA) for certain scenarios. Please provide the business continuity risk summary as evidence or reference a section of a previously provided document in the notes section.

Answer yes if your organisation's Business Continuity Plan includes the required steps to backup and restore the data used by your organisation for day to day operations and the data your clients may have transferred to you for processing, including the outcomes of that processing. This may include defining and agreeing the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for certain services.

Answer yes if your organisation's Business Continuity Plan includes the required steps to continue business operations from an alternate location if the normal business location is inaccessible.

Answer yes if your organisation's Business Continuity Plan includes information describing the maintenance of security controls in the event of a disaster.

Answer yes if your organisation runs rehearsal of its Business Continuity and Disaster Recovery plans at least annually involving all parties, including senior operational leaders. Please provide a report (as a PDF file) that details the last two tests to take place. In the notes section, please describe the nature of the exercises (e.g. desktop exercises, partial or whole practical/technical service restoration and recovery) and who was involved. Please also describe the outcome of the rehearsals, e.g. plans have been updated and re-issued with all material findings addressed.

Answer yes if your organisation has specified Recovery Time Objectives (RTO) and / or Recovery Point Objectives (RPO) for any of your services.

Please enter your Recovery Time Objective (RTO). If you have different RTOs for different services, please enter the longest RTO and provide details in the notes section.

Please enter your Recovery Point Objective (RPO). If you have different RPOs for different services, please enter the longest RPO and provide details in the notes section.

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the requirements of the relevant data protection regulations (e.g. GDPR, Australian Privacy Act, US State Law).

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that contains appropriate security clauses including the right to audit and mandatory adherence to appropriate security policies.

Answer yes if your organisation assigns each supplier with a criticality rating that is based on a corresponding business impact assessment.

Answer yes if your organisation has documented the baseline level of security controls that it expects its suppliers of different criticalities to adhere to. The Risk Ledger platform can be used for this - get in touch!

Answer yes if your organisation checks that each supplier has the required level of security in controls in place before it enters into a contract with them. The Risk Ledger platform can be used for this - get in touch!

Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Please give details of your current process. The Risk Ledger platform can make this easier for you - get in touch!

Answer yes if your organisation collects, processes or stores information that relates to an identified or identifiable individual. You need not answer yes if the only personal data you process is that of your own employees for HR requirements. Data collection also includes any identifiable information collected from web cookies.

Please list all countries where personal data controlled or processed by you resides or is transferred to or through. This includes the location of your head office and data centres, as well as locations of sub-processors. For each country listed, please describe what data is stored or transferred and under what circumstances.

Answer yes if you have processes in place to ensure that every cross-border transfer of personal data has the appropriate contractual / legal mechanisms in place, depending on your jurisdiction. For example, this could be an international data transfer agreement, or an adequacy decision. Please describe in the notes section which mechanism is used for which instances of data transfer.

Answer yes if your organisation has received a request from any government or other authority to provide access to personal data. Please provide information about the nature, volume and origin of requests, including how many you complied with in the notes section, or through supporting evidence (e.g. a link to your transparency report or a document upload).

Answer yes if your organisation has a nominated Data Protection Officer (DPO) who undertakes regular compliance checks and leads on continual privacy improvement. Please include in the notes section details about how your DPO monitors compliance with relevant data protection obligations.

Answer yes if your organisation has a Data Protection Policy that has been reviewed in the last year. Please upload your Data Protection Policy (as a PDF file) as evidence.

Answer yes if you document your personal data processing activities. This could be through data flow diagrams or written documentation and should include details of collection, purpose, storage, access, use, sharing, and retention. Please describe how you do this in the notes.

Answer yes if your organisation has documented the legal justification for processing personal data in each instance. The criteria for a valid lawful basis will depend on your jurisdiction.

Answer yes if your organisation conducts a Data Protection Impact Assessment (DPIA) for all processing of personal data that is likely to result in a high risk to individuals. To find out more about Data Protection Impact Assessments, see the Risk Ledger Knowledgebase.

Answer yes if your organisation has the correct processes in place to be able to provide the relevant individual data privacy rights to all of the data subjects for whom you hold data (e.g. the right to subject access, the right to erasure…).

Answer yes if your organisation has a Records Retention Policy that has been reviewed in the last year. Please provide your Records Retention Policy (as a PDF file) as evidence.

Answer yes if organisation has robust detection, investigation and reporting procedures in place for all personal data breaches. This should include assessing the likely risk to individuals as a result of the breach, informing affected individuals without undue delay, and documenting the facts surrounding personal data breaches in a Breach Log. Please provide details about your processes surrounding a personal data breach in the notes section, including uploading any relevant documentation (as a PDF file).

Answer yes if your organisation has a documented process for notifying the relevant Authority for your jurisdiction and all data controllers or other relevant parties when it becomes aware of a security breach involving Personal Data.

Answer yes if your organisation has had a security incident that led to a Personal Data breach in the last 6 months. If you answered yes, please describe the nature of the breach in the notes section and attach a root causes analysis report (as a PDF file) for each listed breach.

Answer yes if your organisation processes personal data on behalf of another organisation where they are the data controller and you are the data processor.

Answer yes if you have ways to ensure that new sub-processors are authorised by or communicated to the data controller before the new sub-processing takes place. Please attach evidence or describe how this is ensured in the notes.

Answer yes if you have processes or policies which ensure data is only processed in the way in which your data controller has requested, and you have written instructions from the controller describing this. Please describe in the notes how you obtain these instructions from data controllers and how you ensure data is not processed in any way outside of the documented written instructions.

Answer yes if Machine Learning or Generative AI models are used anywhere within your organisation. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people use (e.g. Google Gemini or Microsoft’s Copilot). Unless it has been specifically prohibited and the restriction technically enforced, it is likely that AI is being used somewhere within your organisation and you should answer yes to this question.

Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI-supported service that is used, including both internally developed and supplier-provided services. Examples of risk assessment considerations include: how a Large Language Model (LLM) service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output.

Answer yes if any of the AI-supported services used by your organisation use your organisational data and information to train the AI models. Where information is used for AI training, please describe any controls you have in place to mitigate risks related to your confidential or sensitive data being stored and re-used.

Answer yes if you have ensured, as far as you are able, that your people (employees, managed contract resources or anyone else acting on behalf of your organisation) have reviewed and evaluated the AI model output before use. These processes should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making.

Answer yes if Machine Learning or Generative AI models are used anywhere within the services provided to your clients or anywhere that might touch client data. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people may use (e.g. Google Gemini or Microsoft’s Copilot), if they are used with client data to provide client services. If AI is used within some, but not all of the services you provide, you should answer yes. Please describe in the notes section which of your services use AI and a brief description of where and how AI is used in each service.

Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI-supported service you provide. Examples of what should be considered in each risk assessment include: how the LLM service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output.

Answer yes if you have ensured, as far as you are able, that the users of your service have reviewed and evaluated the AI model output before use. The measures you have put in place should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making. Depending on the service, this could include tagging output as 'AI generated' or providing workflows to enable the review.

Answer yes if client data processed by the AI model is discarded at completion of each defined processing purpose (for example, text input discarded after the processing of each specific Large Language Model prompt).

Answer yes if you have controls in place to ensure that sensitive data is not processed by AI. This could include any data that has been defined by your customers as confidential, for example intellectual property or commercially sensitive information, in addition to personal information. These controls may include identifying and pre-treating data before AI processing or other controls to prevent the input of certain information. Please describe how this is achieved in the notes section.

Answer yes if any client data is used to train your AI model, or external AI models used to provide supplier services. Please describe which client data may be used to train AI models and how this is communicated to those clients.

Answer yes if your organisation has a formal change management process that includes a step to assess any security or legal compliance risks that the change may impact, requires a rollback plan, and includes processes for notifying relevant clients of the changes and any consequential processing differences. Change management can apply if either the AI model is updated, or the data applied to the model is changed (e.g. the model is applied to support new services processing different client data).

Answer yes if your organisation evaluates the effects of changes of the underlying AI Model, whether that model is created and maintained by you or is adopted and applied from an external source (e.g. Amazon Bedrock AI as a Service). Change impacts can include changes in output accuracy or bias and the potential need to reprocess historic data for analysis consistency. Please describe how you evaluate the effects of these changes or upload supporting documentation (as a PDF file).

Answer yes if your organisation has obtained any certifications or any external audit reports which cover any environmental, social or governance issues. Please state the certification or report in the notes and please upload a PDF of the relevant certification or report as evidence.

Answer yes if your organisation has a documented environmental management policy that looks to minimise your organisation's impact on the environment. The policy must have undergone senior management review and approval within the last year. Please upload the policy (as a PDF file) as evidence.

Answer yes if your organisation publicly shares information and metrics about your environmental and social impact. Please upload a copy of the latest report as evidence or provide a link to it.

Answer yes if your organisation conducts any activities that could be perceived to be hazardous to the environment. This could include but is not limited to mining, construction, demolition, manufacturing, chemical processing, or fossil fuels. Please describe your business activities in the notes.

Answer yes if your organisation has been subject to any adverse media coverage or legal action relating to environmental concerns or if your organisation has received any penalties or sanctions for environmental reasons. Please include details in the notes.

Answer yes if your organisation measures your scope 1, scope 2, or scope 3 emissions as defined by Greenhouse Gas (GHG) Protocol. If you only measure your scope 1 or 2 emissions, please still answer yes and provide the relevant information in the following questions.

Please enter the most recent measurement for your scope 1 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 1 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Please enter the most recent measurement for your scope 2 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 2 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Please enter the most recent measurement for your scope 3 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 3 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Answer yes if your organisation is proactively working towards achieving net zero carbon emissions.

Please state the year in which you expect your organisation to achieve net zero carbon emissions.

Answer yes if your organisation has a documented Health & Safety policy. Please upload the policy (as a PDF file) as evidence.

Answer yes if your organisation has an appointed resource that is responsible for the design and delivery of your company's health and safety programme. This is typically a health and safety officer. In the notes, please outline the job role and whether or not this is a dedicated full time position.

Answer yes if your organisation has implemented a framework for managing health and safety compliance across your company. The framework must include health and safety awareness initiatives (such as posters), a risk assessment programme, a defined and auditable reporting process, and relevant and valid insurance policies (in the UK this is covered by your employers liability insurance). Please describe how you manage Health & Safety in the notes.

Answer yes if you commit to the standards set out in a publicly recognised code of ethics such as the Ethical Trading Initiative (ETI) Base Code or if your organisation has developed and abides by its own code of ethics covering labour practises. Please give more details in the notes section.

Answer yes if your organisation is fully compliant with all applicable human rights laws and regulations. This may include, but is not limited to, the International Bill of Human Rights, the UK Modern Slavery Act 2015, and the EU working time directive. Please note that these laws and regulations may require further actions from your organisation to ensure compliance. Please describe how you comply in the notes section and upload evidence of relevant policies, processes or compliance documents.

Answer yes if your organisation has policies and accompanying procedures in place to prevent modern slavery in your own organisation and within your supply chains. Relevant policies may include: Supplier code of conduct, Migrant worker policy, Child labour policy, Human rights policy, Recruitment policy, Procurement policy, Employee code of conduct, Policies concerning access to remedy, compensation and justice for victims of modern slavery, Policies that relate to staff training and increasing awareness of modern slavery, Policies that relate to worker wages, welfare and living standards. Please include in the notes details of your policies and procedures and upload the relevant documents (as PDF files) as evidence.

Answer yes if there have been any suspected or confirmed cases of modern slavery within your organisation or within your supply chain in the past 12 months. Please include in the notes details about how the incidences were identified, investigated and what action was taken.

Answer yes if your organisation has a mechanism in place (backed up by a written policy document with a defined process) that allows employees and contractors to address grievances relating to their employment. Please upload the policy document (as a PDF file) as evidence.

Answer yes if your organisation has a documented diversity and inclusion policy that outlines the organisation's commitment to providing an inclusive and supportive environment for staff, contractors and visitors that is free from discrimination.

Answer yes if your organisation has a defined and documented procedure that enables employees and contract staff to report any incidents or perceived issues confidentially. This is typically provided through a confidential phoneline or email address. Please outline the process in the notes section provided, or upload a policy or process document (as a PDF file) as evidence.

Answer yes if your organisation clearly informs all employees and contract staff how to access and utilise the whistleblowing procedure.

Answer yes if your organisation conducts regular (e.g. quarterly, annually) supplier assurance to ensure your suppliers meet the same standards of environmental management, social responsibility, and governance that is expected of your organisation, and that they are compliant with all applicable laws and regulations. Describe the nature and frequency of the assurance activities in the notes.