By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept
Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Domain
A
Security Governance
This domain covers how your security governance is designed, implemented, and maintained.
Security Risks
Domain
B
Security Certifications
This domain covers how your organisation maintains compliance with key security certifications.
Security Risks
Domain
C
HR Security
This domain covers the security controls you have implemented to mitigate security risk from your employees.
Security Risks
Domain
D
IT Operations
This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.
Security Risks
Domain
E
Software Development
This domain covers the security controls you have implemented during the development of your IT applications.
Security Risks
Domain
F
Network and Cloud Security
This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.
Security Risks
Domain
G
Physical Security
This domain covers the physical security controls you have implemented to protect your organisation's physical premises.
Security Risks
Domain
H
Business Resilience
This domain covers the processes and plans you have in place to ensure a quick recovery if a failure occurs.
Security Risks
Domain
I
Supply Chain Management
This domain covers the processes and controls you have in place to ensure the security risk from your supply chain is mitigated.
Security Risks
Domain
J
Data Protection
This domain covers compliance with data protection legislation.
Security Risks
Domain
K
Artificial Intelligence
This domain covers use of Artificial Intelligence (AI) in your organisation and what you have done to prevent, identify, and respond to evidence of risk.
Security Risks
Domain
XA
Financial Risk
Financial Controls to prevent, identify, and respond to evidence of financial crime are also included in Risk Ledger's Supplier Assessment Framework. This includes checks for compliance with relevant Anti-Money Laundering (AML) regulations, applicable Anti-Bribery and Corruption (AB&C) legislation, fraud prevention and sanctions.
Financial Risk
Domain
XB
Environmental, Social and Governance
This add-on domain covers how your organisation manages and governs its environmental and social impact.
Environmental, Social and Governance
Domain
XC
UK Government Data and Personnel Security
This add-on domain is specific to suppliers working with the UK government. Please reach out to support@riskledger.com if you need help with this domain.
UK Government Data and Personnel Security
Domain A Question
1
01) Does your organisation conduct an annual independent information security review and act upon the findings?
Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, add the date of your last review to the notes.
Domain A Question
2
02) Does your organisation have an appointed person responsible for information security, such as a CISO?
Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Confirm the role and its responsibilities in the notes or upload a job role description as evidence.
Domain A Question
3
03) Does your organisation have a documented Cybersecurity Policy or Information Security Policy?
Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Upload the Information Security Policy as evidence.
Domain A Question
4
04) Does your organisation have a formal policy on the use of mobile devices?
Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Upload the Mobile Device Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
5
05) Does your organisation have a formal policy for remote working that includes security?
Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Provide the Remote Working Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
6
06) Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?
Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Upload the Acceptable Use Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
7
07) Does your organisation have a documented Information Classification Policy?
Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Upload the Information Classification Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
8
08) Does your organisation have a documented Access Control Policy?
Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Upload the Access Control Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
9
09) Does your organisation have a policy governing the use of cloud services?
Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Upload the Cloud Services Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
10
10) Does your organisation have a Password Policy that is technically enforced throughout its IT estate?
Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Upload the Password Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes. Also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.
Domain A Question
11
11) Does your organisation have a documented Backup Policy?
Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Upload the Backup Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
12
12) Does your organisation enforce a Clear Desk and Screen Policy?
Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Upload the Clear Desk and Screen Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
13
13) Does your organisation prevent the use of removable media, and is this enforced technically?
Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.
Domain A Question
14
14) If the use of removable media is not prohibited and enforced technically, is its use subject to other compensatory controls?
Answer yes if your organisation subjects the use of removable media to compensatory controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, state the nature of these controls within the notes.
Domain A Question
15
15) Are your organisation's information security policies accessible to all employees?
Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).
Domain A Question
16
16) Are your organisation's information security policies reviewed and approved by senior management at least annually?
Answer yes if all of your organisation's security policies are reviewed and approved by senior management.
Domain A Question
17
17) Has your organisation documented senior management roles and responsibilities for security within your organisation?
Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Upload the documented roles as evidence.
Domain A Question
18
18) Does your organisation include information security during the planning and delivery of projects?
Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).
Domain A Question
19
19) Does your organisation restrict employee access to business information based upon the principle of least privilege?
Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).
Domain A Question
20
20) Does your organisation have an internal audit function that ensures information security requirements are being met by the business?
Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Provide information on the frequency of the audits in the notes.
Domain A Question
21
21) Does your organisation conduct security risk assessments for your full IT estate at least annually?
Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.
Domain A Question
22
22) Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?
Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Upload a template NDA or confidentiality agreement as evidence.
Domain A Question
23
23) Does your organisation segregate duties to prevent unauthorised disclosure or access to information?
Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.
Domain A Question
24
24) Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?
Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.
Domain A Question
25
25) Does your organisation use threat intelligence to inform decisions about information security?
Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, describe how you collect, analyse and use threat intelligence within your organisation, or upload a document as supporting evidence.
Domain B Question
0
00) Does your organisation hold any certifications in information security?
Answer yes if your organisation has been certified to an information security standard (such as PCI DSS, Cyber Essentials or ISO27001) or has completed an information security audit such as a SOC2.
Domain B Question
1
01) Is your organisation Cyber Essentials certified?
Answer yes if your organisation is certified to the first level Cyber Essentials scheme. Upload your Cyber Essentials certificate as evidence.
Domain B Question
2
02) Is your organisation Cyber Essentials Plus certified?
Answer yes if your organisation has been certified to the Cyber Essentials Plus scheme by a relevant certification body. Upload your Cyber Essentials Plus certificate as evidence.
Domain B Question
3
03) Is your organisation ISO27001 certified?
Answer yes if your organisation has a current, valid ISO 27001 certification. Upload your ISO 27001 certificate and Statement of Scope as evidence and copy the certificate scope statement into the notes section. If appropriate, also upload your Statement of Applicability. State your accreditation body in the notes section.
Domain B Question
4
04) Is your organisation aligned with the NIST Cybersecurity Framework?
Answer yes if your organisation is aligned with the NIST Cybersecurity Framework.
Domain B Question
5
05) Does your organisation store, process, transmit or otherwise have the ability to impact the security of cardholder data (CHD) or sensitive authentication data (SAD)?
Answer yes if your organisation performs any activities or may otherwise impact the security of cardholder data or related sensitive authentication data related to payment processing. Cardholder data includes data such as the Primary Account Number, Cardholder Name, Expiration Date, and Service Code. Sensitive authentication data includes data such as full track data, card verification code, PINs, etc.
Domain B Question
6
06) Has your organisation performed validation of compliance to the Payment Card Industry Data Security Standard (PCI DSS) v4 or above for your services or environments that impact cardholder data or sensitive authentication data?
Answer yes if your organisation’s relevant services or environments have been validated through either: (1) a Self Assessment Questionnaire (SAQ), or (2) a Report on Compliance (RoC) if performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). Upload the Attestation of Compliance (AOC) and the Shared Responsibility Matrix.
Domain B Question
7
7) Does your organisation have a defined process for managing and monitoring Third-Party Service Providers (TPSP) that provide services impacting your PCI DSS compliance?
Answer yes if you have a defined process for monitoring the PCI DSS compliance status of any relevant TPSPs. For applicable TPSPs, provide their AoC.
Domain B Question
8
8) Does your organisation have any other certifications or audit reports that cover information security (such as a SOC 2 report)?
Domain C Question
1
01) Does your organisation perform background checks on staff and contractors?
Answer yes if background checks are conducted against staff before they join your organisation. In the notes section, describe the types of checks (e.g. employer reference, criminal records, BPSS, CTC, SC, DV) conducted for which roles or upload a supporting document as evidence.
Domain C Question
2
02) Do employment contracts include consenting to all information security responsibilities in line with organisational policies and procedures?
Answer yes if your organisation's employment contracts include a clause in which the employee must consent to abiding by all of your organisation's security policies. Upload a template contract as evidence or copy the clause into the notes section.
Domain C Question
3
03) Do employees and contractors receive an information security and data protection training programme?
Answer yes if your organisation runs an information security and data protection training programme for all of your employees and third-party contractors. Describe the nature and frequency of the training programme in the notes section, including any additional training provided to staff with greater responsibility, more privileged system access or access to confidential data.
Domain C Question
4
04) Is there a formal disciplinary process for employees who have breached company policy (including any breaches of company security policy)?
Answer yes if your organisation has a formal disciplinary process that is followed if an employee is found to have intentionally breached company policy. Upload a document outlining the process as evidence (this may be covered by your organisation's Disciplinary Policy).
Domain C Question
5
05) Does your organisation have arrangements in place to provide an alternate resource when a member of staff is not available for an extended period of time?
Answer yes if your organisation has a process in place to source additional staff if one of your organisation's employees is not available for an extended period of time. Describe the process in the notes section.
Domain D Question
1
01) Does your organisation keep an up-to-date inventory of all IT assets with assigned owners?
Answer yes if your organisation keeps an up-to-date inventory of all hardware and software assets within your IT estate, including cloud services. The inventory must list an owner against each asset. It should also list other details about the assets such as version numbers, business usage & location. Include details in the notes.
Domain D Question
2
02) Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?
Answer yes if your organisation keeps an up-to-date inventory of all data repositories within your IT estate, including any hosted within cloud services. The inventory must list an owner against each asset.
Domain D Question
3
03) Does your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation?
Answer yes if your organisation has a formal process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).
Domain D Question
4
04) Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation?
Answer yes if your organisation has a formal process that ensures all access to your organisation's systems & information (this includes, but is not limited to corporate endpoints, networks, offices and third party services) is removed when employees, contractors and third party users leave the organisation and is updated when they change roles. Describe these processes within the notes and/or upload any relevant evidence.
Domain D Question
5
05) Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs?
Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Describe the provisioning process in the notes or upload a supporting document as evidence. If any generic or shared accounts are used, specify what these are used for and any processes you have in place to minimise their usage.
Domain D Question
6
06) Does your organisation enforce multi-factor authentication on all remotely accessible services?
Answer yes if your organisation enforces multi-factor authentication on all remotely accessible services that are used internally or provided externally (e.g. to customers or the public). This includes internal IT services, third-party apps or systems provided externally (e.g. client portals, apps, public services). In the notes section, describe where MFA is enforced, where it is available but not enforced, and where it is not available. You can add different answers for different products.
Domain D Question
7
07) Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?
Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Describe the provisioning process in the notes or upload a supporting document as evidence.
Domain D Question
8
08) Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)?
Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. This should include audit of any shared or generic accounts. Describe the audit process in the notes section or upload a supporting document as evidence.
Domain D Question
9
09) How many access audits does your organisation conduct each year, for regular employee accounts?
State the number of times access audits are completed for users each year.
Domain D Question
10
10) How many access audits does your organisation conduct each year, for privileged employee accounts?
State the number of times access audits are completed for users each year.
Domain D Question
11
11) Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration?
Answer yes if your organisation has systems and/or processes in place to help ensure privileged accounts are only used for the intended purposes, in a secure way. This could include the use of administration proxies (jump boxes or bastion hosts), Privileged Access Workstations (PAWs), temporary credentials, additional approval processes, or ensuring privileged accounts are not used for normal business activities, such as email or web-browsing. Describe your PAM controls in the notes section or upload a supporting document as evidence.
Domain D Question
12
12) Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?
Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to re-authenticate.
Domain D Question
13
13) For how many minutes does a user have to be inactive before the system is locked?
State how long a user must be inactive for (in minutes) before the systems lock. If times vary between systems, state the highest value and describe the others in the notes.
Domain D Question
14
14) Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once?
Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.
Domain D Question
15
15) Has your organisation removed local administrator rights on all end point devices for all employees that do not require it?
Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.
Domain D Question
16
16) Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment?
Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Describe how your secure configuration process is performed, including both automated and manual checks. Upload any relevant documentation as evidence.
Domain D Question
17
17) Do all systems (such as network devices) have their default credentials changed on installation or provision?
Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.
Domain D Question
18
18) Does your organisation have a formal change management process that gives consideration to information security?
Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Describe the process in the notes section or upload a supporting document as evidence.
Domain D Question
19
19) Does your organisation use anti-malware controls to protect all of its endpoints and internal IT infrastructure?
Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates and are configured to scan files regularly (at least daily). Provide details of your malware protection solutions in the notes.
Domain D Question
20
20) Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)?
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of app whitelisting on servers). Describe the nature of the controls in the notes.
Domain D Question
21
21) Does your organisation have procedures in place to control the installation of software on user endpoint systems?
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems, including desktop PCs, laptops & mobile devices. This could be done through the use of app whitelisting, restricting user installation rights, device management software etc. Describe the nature of the controls in the notes.
Domain D Question
22
22) Does your organisation enforce full-disk encryption on all organisation-provisioned endpoint devices?
Answer yes if your organisation enforces full-disk encryption on all endpoint devices it provisions. In the notes, include details of the encryption algorithm(s) used and how this is enforced.
Domain D Question
23
23) Can your organisation perform a remote wipe on all organisation-provisioned endpoint devices?
Answer yes if your organisation has a process and technical solution that allows for any endpoint device provisioned or owned by your organisation to be remotely wiped.
Domain D Question
24
24) Does your organisation allow staff to access company data or services from employee-owned devices?
Answer yes if your organisation allows employees or contractors to have apps or services that access company data on their personally-owned devices (e.g. mobile phones, tablets, laptops), commonly known as a Bring Your Own Device (BYOD) policy.
Domain D Question
25
25) Does your organisation enforce equivalent technical security controls on BYOD endpoint devices before allowing access to company data or services?
Answer yes if your organisation enforces security controls on BYOD endpoint devices to an equivalent standard of the security controls on organisation-issued devices, before access to company data or services is granted. For example, this could be done through the use of containerised MDM or UEM software. In the notes, describe the nature of the controls, the method of enforcement and any related processes. If there is a difference in the level of control between organisation-issued devices and BYOD, describe that in the notes section, including any compensating controls.
Domain D Question
26
26) Can your organisation perform a remote wipe of organisation data on all BYOD endpoint devices?
Answer yes if your organisation has a process and technical solution that allows organisation data to be remotely wiped from any employee-owned device.
Domain D Question
27
27) Does your organisation encrypt client data on its IT systems using appropriate cryptographic standards?
Answer yes if your organisation encrypts client data on its IT systems. State the encryption algorithm used in the notes.
Domain D Question
28
28) Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications?
Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance. Describe your patch management processes in the notes including how you ensure all systems are in scope, or upload supporting documents.
Domain D Question
29
29) Does your organisation use any applications, operating systems or hardware that are no longer supported by the vendor and no longer receive security updates?
Answer yes if your organisation uses any IT systems that include applications, operating systems or hardware (including servers, network equipment or user devices) for which the vendors do not provide regular security updates. In the notes, describe how you discover and manage these systems, including any compensatory controls you have in place to protect them and any plans for decommissioning or replacement.
Domain D Question
30
30) Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?
Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Describe the process in the notes section or upload a supporting document as evidence.
Domain D Question
31
31) Does your organisation take regular immutable backups of its digital production data in line with current best practise guidelines?
Answer yes if your organisation takes regular backups of its production data that cannot be altered, deleted or tampered with for a specified time period. Backups must be taken in line with best practice guidelines, for example by following the '3-2-1' rule and segregating the backups from your main environment. Describe your backup processes including segregation, frequency, and any other controls in place.
Domain D Question
32
32) Does your organisation encrypt the backups using appropriate cryptographic standards to prevent unauthorised access to the backup data?
Answer yes if your organisation encrypts the backups using appropriate cryptographic standards to prevent unauthorised access to the data. State the encryption algorithm used in the notes section.
Domain D Question
33
33) Does your organisation regularly test backups to ensure their effectiveness?
Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. State the frequency of the tests in the notes section.
Domain D Question
34
34) Does your organisation use opportunistic TLS on all email services and are you able to apply enforced TLS to specific domains on request?
Answer yes if your organisation uses opportunistic TLS by default and has the capability to configure enforced TLS on email services to specific domains if requested.
Domain D Question
35
35) Has your organisation implemented SPF, DMARC, and DKIM for all of its email services?
Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. State the type of DMARC policy set.
Domain D Question
36
36) Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms?
Answer yes if your organisation has any form of Data Loss Prevention (DLP) controls in place to ensure only authorised data is transferred outside of your organisation. Describe the controls you have in place and how these are managed.
Domain D Question
37
37) Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms?
Answer yes if your organisation has any form of Data Loss Prevention (DLP) controls in place to ensure only authorised data is transferred outside of your organisation. In the notes, please describe the controls you have in place and how these are managed.
Domain E Question
0
00) Does your organisation develop any applications or systems?
Answer yes if your organisation designs, develops, or maintains any app, website, or systems, both internal or external.
Domain E Question
1
01) Does your organisation control access to program source code in a secure manner?
Answer yes if your organisation controls access to its app source code. This is typically done by using a code repository with robust access controls implemented, including maintaining an audit log of all access.
Domain E Question
2
02) Does your organisation have a documented and approved software development life-cycle (SDLC) process that includes security input?
Answer yes if your organisation has implemented a secure SDLC (Software Development Lifecycle) that includes a security risk assessment. Describe your SDLC process in the notes, highlighting any security input, or upload a supporting document as evidence.
Domain E Question
3
03) Does your organisation develop apps and systems using security best practice (for example, by following the OWASP secure coding practices)?
Answer yes if your organisation's developers are instructed to build apps and systems using defined security best practice (for example, as defined by OWASP, The Open Web Application Security Project). Describe in the notes the best practice guidance followed and if your developers receive any additional security training.
Domain E Question
4
04) Does your organisation validate all data inputs and outputs to and from its apps?
Answer yes if your organisation ensures that all of its apps have data validation implemented on their data inputs and outputs.
Domain E Question
5
05) Does your organisation conduct threat modelling throughout the SDLC, incorporating an up to date understanding of threats, for each app or system build?
Answer yes if your organisation conducts threat modelling when designing each app or system. Describe in the notes how threat modelling is integrated throughout your SDLC or upload a supporting document (for example, a template threat modelling report) as evidence.
Domain E Question
6
06) Do all of your organisation's apps and systems use industry best practice for authentication, including storing all user passwords as appropriate hashes?
Answer yes if your organisation ensures that all of its apps and systems (that are developed/built in-house) use industry best practice for authentication, and that all passwords are stored as hashes using secure hashing algorithms rather than as plain text. In the notes section, where relevant, state the name of the authentication provider used.
Domain E Question
7
07) Does your organisation conduct appropriate security testing as part of your development lifecycle?
Answer yes if your organisation performs security testing of all apps & systems during the build process. Describe the security testing performed which could include, but is not limited to Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Infrastructure security testing.
Domain E Question
8
08) Does your organisation segregate development environments from any testing or production environments?
Answer yes if your organisation uses segregated environments for the development of apps, the testing of apps, and the hosting of production systems that handle live data. Describe in the notes the nature of the segregation (logical/physical).
Domain E Question
9
09) Does your organisation use dummy test data when undergoing testing of systems (and not live production data)?
Answer yes if your organisation has made it policy to only use test data (rather than live production data) that contains no personal data when testing its IT systems. If not, describe the reason why and whether or not you have any other mitigating controls in place.
Domain E Question
10
10) Does your organisation ensure that all apps that it builds or procures are maintained with regular security patches?
Answer yes if your organisation produces or receives regular security updates for any apps it develops and hosts, and that it ensures all apps procured from vendors are also supported with regular security patches.
Domain E Question
11
11) Does your organisation conduct regular penetration tests of any apps or systems that it develops?
Answer yes if your organisation conducts regular penetration tests of any apps or systems that it develops and remediates the findings. Describe how often penetration tests take place.
Domain E Question
12
12) Does your organisation ensure that appropriate logging and monitoring is in place for all apps or systems it develops?
Answer yes if your organisation ensures that any apps or systems developed have appropriate logging mechanisms implemented (for example, as defined by OWASP, the Open Web Application Security Project).
Domain E Question
13
13) Is your organisation able to demonstrate the composition and provenance of software it develops (including third-party and open-source components)?
Answer yes if your organisation can demonstrate the composition and provenance of the software it develops, including any third-party or open-source components. Upload supporting evidence such as, but not limited to: a software inventory, dependency lists, or a software bill of materials (SBOM).
Domain E Question
14
14) Does your organisation continuously monitor all software components for vulnerabilities?
Answer yes if your organisation has processes or tools in place to regularly monitor software components for newly disclosed vulnerabilities throughout the software lifecycle. This includes identifying relevant vulnerabilities, understanding the potential impact to you, and assessing any necessary actions.
Domain F Question
0
00) Does your organisation maintain on-premise or cloud-hosted environments — or a hybrid of both — for internal use, or to deliver services to clients?
Answer Yes to this question if:Your organisation maintains (or is responsible for maintaining) a physical or cloud-hosted network that allows user devices to connect and communicate with any data storage or processing services;Your organisation maintains any physical or cloud-hosted application or service delivery infrastructure;Your organisation uses a public cloud to host applications or services where you are responsible for implementing security controls within that environment, guided by the host’s shared security responsibility model (e.g. AWS, GCP and Azure)
Domain F Question
1
01) Are all ingress and egress points for traffic through your network or cloud environment protected by firewalls?
Answer yes if your organisation has secured all of the ingress and egress points of its corporate network and IT environments (cloud-based or otherwise) with firewalls - whether as discrete appliances or as cloud-hosted network security service functions.
Domain F Question
2
02) Were the firewalls implemented using a deny all policy, with rules built around your organisation’s requirements?
Answer yes if the firewalls were implemented with a 'deny all' policy, and each rule was only added when a business requirement was identified, documented and approved by an authorised individual.
Domain F Question
3
03) Does your organisation review its firewall rules at least annually?
Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. State the date of the last review.
Domain F Question
4
04) Does your organisation have web application firewalls (WAFs) implemented to protect web applications?
Answer yes if all web applications hosted by your organisation are protected with WAFs (web application firewalls) - whether as discrete appliances or as cloud-hosted network security service functions. If your organisation does not host any web applications, answer 'No' and state this in the notes section.
Domain F Question
5
05) Were the WAFs implemented using a deny all policy, with rules built around your organisation’s requirements?
Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.
Domain F Question
6
06) Does your organisation review its WAF rules at least annually?
Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. State the date of the last review.
Domain F Question
7
07) Has your organisation implemented segmentation or segregation in your networks and/or cloud environments?
Answer yes if your organisation has appropriately segregated its network or cloud environments to restrict the level of access to sensitive information, hosts, and services. Examples include segregation of production systems from systems being commissioned or decommissioned and systems under test; segregation of systems with different security levels (e.g. those processing sensitive personal data or financial data are segregated from other business systems) and segregation or segmentation of services used by different subsidiary organisations.
Domain F Question
8
08) Does your organisation place all publicly accessible services in isolated network DMZs (or separate subnets)?
Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).
Domain F Question
9
09) Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?
Answer yes if your organisation has implemented controls to protect its services against DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Describe the nature of these controls in the notes section.
Domain F Question
10
10) Does your organisation secure and encrypt remote connections to its network or environment using an appropriate control/protocol (for example, by using VPNs or SSH connections)?
Answer yes if your organisation forces all remote connections to its network infrastructure or cloud environment to be secured with a suitable solution such as a VPN or SSH connection. Describe the nature of these controls in the notes section, both technical and procedural.
Domain F Question
11
11) Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?
Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic including APIs and SFTP for file transfers). Describe the nature of these controls in the notes section, both technical and procedural.
Domain F Question
12
12) Does your organisation manage and control the use of, and access to, any cryptographic keys?
Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Describe the process in the notes section, or upload a supporting document as evidence.
Domain F Question
13
13) Does your organisation enforce multi-factor authentication for all remote access to its network and cloud environments?
State the number of automated scans completed every year.
Domain F Question
14
14) Does your organisation keep a list of approved network connections (such as site to site VPNs) between your corporate network and third parties?
Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.
Domain F Question
15
15) Is each of the approved network connections subject to a risk assessment?
Is each of the approved network connections subject to a risk assessment?
Domain F Question
16
16) Is each of the approved network connections subject to regular review?
Answer yes if your organisation undertakes a regular review of network connections (e.g. annually) in which it removes any redundant connections and makes sure that all of the connections are relevant to its business operations.
Domain F Question
17
17) Does your organisation conduct regular automated vulnerability scans of its public facing IT infrastructure and remediate any findings?
Answer yes if your organisation conducts regular external automated vulnerability scans of its public IP infrastructure and remediates the findings.
Domain F Question
18
18) How many external automated vulnerability scans does your organisation conduct each year?
Please state the number of automated scans completed every year.
Domain F Question
19
19) Does your organisation conduct regular automated vulnerability scans of its internal IT infrastructure and remediate any findings?
Answer yes if your organisation conducts regular automated vulnerability scans of its internal IP infrastructure and remediates the findings. This may include scanning assets in a private local network or using a cloud service provider’s tools to scan for vulnerabilities in your cloud infrastructure.
Domain F Question
20
20) How many internal automated vulnerability scans does your organisation conduct each year?
State the number of automated scans completed every year.
Domain F Question
21
21) Does your organisation conduct regular penetration tests of its public facing IT infrastructure?
Answer yes if your organisation conducts regular penetration tests of your public facing IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. Describe in the notes how often these tests are completed. Upload your last pentest report summary (not the detailed findings) as evidence.
Domain F Question
22
22) Does your organisation conduct regular penetration tests of its internal systems where the test assumes perimeter controls have been compromised?
Answer yes if your organisation conducts regular penetration tests of your internal IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. The test should assume that perimeter controls have been compromised, for example that a legitimate internal user’s credentials have been stolen and re-used. The test should assess a threat actor’s ability to reach assets and information, including opportunities to elevate privileges to gain access. The results of the tests can inform improvements to IT systems and infrastructure, for example improved subnet segregation and role access privileges and controls. Describe in the notes how often these tests are completed. Upload your last pentest report summary (not the detailed findings) as evidence.
Domain F Question
23
23) Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?
Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Describe your process(es) in the notes section.
Domain F Question
24
24) Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?
Answer yes if your organisation has implemented any network or cloud monitoring solutions (either in house or via a third party service provider). Describe which solutions you have in place and the coverage they have over your network(s) or cloud environment(s).
Domain F Question
25
25) Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary?
Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Describe your processes for different types of security logs and events in the notes section.
Domain F Question
26
26) Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?
Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Describe the controls in the notes section.
Domain F Question
27
27) Does your organisation record and store user activity logs for all cloud environments, networks and associated services?
Answer yes if your organisation records and stores user activity logs for its IT production systems, network devices and endpoint devices.
Domain F Question
28
28) For how many months does your organisation store its user activity logs?
State how many months the logs are kept for.
Domain F Question
29
29) Does your organisation record and store the logs of root/super user/administrator actions for the network and associated services?
Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.
Domain F Question
30
30) For how many months does your organisation store its root/super-user/administrator logs?
State how many months the logs are kept for.
Domain F Question
31
31) Are all logs stored on a secure/hardened server that is logically separate from the systems being logged?
Answer yes if your organisation stores all recorded logs on dedicated servers that are logically separate from your production systems, and hardened.
Domain F Question
32
32) Does your organisation have a process to test the deployment of business critical applications to their target managed environment (cloud or on-prem) to ensure there are no adverse impacts on operations or security?
Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of business critical applications to their target managed environment (cloud or on-prem) to ensure there are no adverse impacts on operations or the security of your IT estate. Describe the nature of the testing process in the notes or upload a supporting document as evidence.
Domain F Question
33
33) Is your organisation currently registered with the UK National Cyber Security Centre’s (NCSC) Early Warning service?
Answer yes if your organisation has registered with NCSC's Early Warning Service to receive notifications of potential threats to your network.
Domain G Question
0
00) Does your organisation rely upon any physical premises, such as offices, warehouses or data centres?
Answer yes if your organisation uses any physical premises in order to provide your services, products or to run your operations. This could include, but is not limited to, office space, warehouses, or data centres. It includes data centres used to host cloud services provided by your organisation, even if you do not have direct control of those premises. It also includes office space used by your people, even if you are a cloud-first organisation.
Domain G Question
1
01) Does your organisation enforce a secure physical perimeter around all of its physical locations (e.g. offices, data centres...)?
Answer yes if your organisation has implemented a secure physical perimeter around all of its physical locations. Upload a Physical Security Policy document as evidence or reference a section of a previously uploaded security policy in the notes.
Domain G Question
2
02) Does your organisation use CCTV to monitor entry and exit points of all premises?
Answer yes if your organisation uses CCTV cameras on all of its premises entry and exit points.
Domain G Question
3
03) For how many days does your organisation keep CCTV footage?
State the number of days that the CCTV footage is kept for. If different retention times are used depending on the CCTV system, state the different retention times in the notes and enter the lowest retention time in the answer box.
Domain G Question
4
04) Does your organisation use an access control system on its premises entry and exit points that includes logging of access?
Answer yes if your organisation uses an access control system to control the movement of people in and out of its physical premises, and if this system keeps a digital log of access.
Domain G Question
5
05) For how many months does your organisation keep its physical access control audit logs?
State the number of months that the access logs are kept for. If different retention times are used depending on the access control system, state the different retention times in the notes and enter the lowest retention time in the answer box.
Domain G Question
6
06) Are all of your organisation's physical premises secured with an alarm?
Answer yes if all of your organisation's physical premises are secured with an alarm that once triggered, is investigated either by a private security team or the police.
Domain G Question
7
07) Are all of your organisation's physical premises staffed 24/7 by a security team or reception team?
Answer yes if all of your organisation's physical premises are staffed 24/7 by an onsite security team, reception team, or both. If security is present for some hours (not 24/7), answer no and state in the notes section the times during which the premises are staffed.
Domain G Question
8
08) Does your organisation use visitor log books (or the digital equivalent) to record visitors at all premises?
Answer yes if your organisation uses a physical or digital system to record the arrival of visitors, and the time at which they leave the premises.
Domain G Question
9
09) Does your organisation require visitors to undergo an ID check on arrival at all premises?
Answer yes if your organisation requires all visitors to undergo an ID check on arrival to ensure that they are the person that they claim to be.
Domain G Question
10
10) Does your organisation protect sensitive equipment from power failures?
Answer yes if your organisation uses controls (such as Uninterruptible Power Supplies, UPS) to protect sensitive equipment from power failures.
Domain G Question
11
11) Does your organisation ensure confidential paper waste is disposed of securely?
Answer yes if your organisation disposes of all confidential paper waste in a secure manner (typically either by shredding or incineration), or if a third party is used to dispose of the waste securely.
Domain H Question
1
01) Does your organisation have a documented Incident Response Plan?
Answer yes if all of your organisation's physical premises are staffed 24/7 by an onsite security team, reception team, or both. If security is present for some hours (not 24/7), answer no and state in the notes section the times during which the premises are staffed.
Domain H Question
2
02) Does your organisation's Incident Response Plan allow for the classification of information security events?
Answer yes if your organisation's Incident Response Plan contains a section for classifying information security events. Reference the section of any previously uploaded plan in the notes.
Domain H Question
3
03) Does your Incident Response Plan include consideration of legal and regulatory commitments?
Answer yes if your organisation's Incident Response Plan contains an assessment of impact to legal and regulatory compliance. Reference the section of any previously uploaded plan in the notes.
Domain H Question
4
04) Does your organisation's Incident Response Plan include roles and responsibilities in the event of an incident?
Answer yes if your organisation's Incident Response Plan contains a section defining roles and responsibilities in an information security event. Reference the section of any previously uploaded plan in the notes.
Domain H Question
5
05) Does your organisation's Incident Response Plan include alternative communication systems in case your usual systems are disrupted?
Answer yes if your organisation's Incident Response Plan contains a section for alternative communication methods. Reference the section of any previously uploaded plan in the notes.
Domain H Question
6
06) Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)?
Answer yes if your organisation has a cyber incident response capability that it can call upon in the event of an incident. This can be an in-house capability or provided by a third party or cyber insurance provider.
Domain H Question
7
07) Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?
Answer yes if your organisation has a documented process for reporting information security incidents, or suspected information security incidents (this is typically via an IT helpdesk). Describe the process in the notes, or upload a process document as evidence.
Domain H Question
8
08) Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?
Answer yes if your organisation has a documented process for reporting information security breaches to all affected Clients within 72 hours of the breach being discovered. Describe the process in the notes, or upload a process document as evidence.
Domain H Question
9
09) Does your organisation conduct a root cause analysis for all information security incidents that are reported?
Answer yes if your organisation completed a root cause analysis for all security incidents that are reported, and implements any lessons learnt after each analysis has been completed. Upload a template root cause analysis document as evidence.
Domain H Question
10
10) Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?
Answer yes if your organisation has a documented business continuity plan that has been reviewed and approved by senior management in the last year. Upload the Business Continuity Plan as evidence.
Domain H Question
11
11) Is your organisation's Business Continuity Plan based on a current risk assessment of your business?
Answer yes if your organisation has assessed the potential business-disruptive risks and used this assessment to inform your Business Continuity Plan. This process may involve conducting a Business Impact Analysis (BIA) for certain scenarios. Upload the business continuity risk summary as evidence or reference a section of a previously uploaded document in the notes section.
Domain H Question
12
12) Does your organisation's Business Continuity Plan address the backup and restoration of your business data and the data you process for your clients?
Answer yes if your organisation's Business Continuity Plan includes the required steps to backup and restore the data used by your organisation for day to day operations and the data your clients may have transferred to you for processing, including the outcomes of that processing. This may include defining and agreeing the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for certain services.
Domain H Question
13
13) Does your organisation's Business Continuity Plan include operation of business activities from an alternative location?
Answer yes if your organisation's Business Continuity Plan includes the required steps to continue business operations from an alternate location if the normal business location is inaccessible.
Domain H Question
14
14) Does your organisation's plan include the maintenance of security controls in a disaster?
Answer yes if your organisation's Business Continuity Plan includes information describing the maintenance of security controls in the event of a disaster.
Domain H Question
15
15) Does your organisation have a programme in place to regularly rehearse and maintain your Business Continuity and Disaster Recovery plans?
Answer yes if your organisation runs rehearsal of its Business Continuity and Disaster Recovery plans regularly (e.g. annually) involving all parties, including senior operational leaders. Upload a report that details the last two tests to take place. In the notes section, describe the nature of the exercises (e.g. desktop exercises, partial or whole practical/technical service restoration and recovery) and who was involved. Also describe the outcome of the rehearsals, e.g. plans have been updated and re-issued with all material findings addressed.
Domain H Question
16
16) Has your organisation set Recovery Time Objectives (RTO) and / or Recovery Point Objectives (RPO)?
Answer yes if your organisation has specified Recovery Time Objectives (RTO) and / or Recovery Point Objectives (RPO) for any of your services.
Domain H Question
17
17) What is your Recovery Time Objective (RTO)?
Enter your Recovery Time Objective (RTO). If you have different RTOs for different services, enter the longest RTO and provide details in the notes section.
Domain H Question
18
18) What is your Recovery Point Objective (RPO)?
Enter your Recovery Point Objective (RPO). If you have different RPOs for different services, enter the longest RPO and provide details in the notes section.
Domain I Question
1
01) Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?
Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the requirements of the relevant data protection regulations (e.g. GDPR, Australian Privacy Act, US State Law).
Domain I Question
2
02) Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?
Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that contains appropriate security clauses including the right to audit and mandatory adherence to appropriate security policies.
Domain I Question
3
03) Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?
Answer yes if your organisation assigns each supplier with a criticality rating that is based on a corresponding business impact assessment.
Domain I Question
4
04) Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?
Answer yes if your organisation has documented the baseline level of security controls that it expects its suppliers of different criticalities to adhere to. The Risk Ledger platform can be used for this - get in touch!
Domain I Question
5
05) Does your organisation conduct security due diligence against suppliers before entering into a contract?
Answer yes if your organisation checks that each supplier has the required level of security in controls in place before it enters into a contract with them. The Risk Ledger platform can be used for this - get in touch!
Domain I Question
6
06) Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?
Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Provide details of your current process. The Risk Ledger platform can make this easier for you - get in touch!
Domain J Question
0
00) Does your organisation collect, process, or store personal data, other than that of your own employees?
Answer yes if your organisation collects, processes or stores information that relates to an identified or identifiable individual. You need not answer yes if the only personal data you process is that of your own employees for HR requirements. Data collection also includes any identifiable information collected from web cookies.
Domain J Question
1
01) Which countries do you store personal data in, or transfer personal data to?
List all countries where personal data controlled or processed by you resides or is transferred to or through. This includes the location of your head office and datacentres, as well as locations of sub-processors. For each country listed, describe what data is stored or transferred and under what circumstances.
Domain J Question
2
02) Do you use appropriate legal mechanisms for all international transfers of personal data?
Answer yes if you have processes in place to ensure that every cross-border transfer of personal data has the appropriate contractual / legal mechanisms in place, depending on your jurisdiction. For example, this could be an international data transfer agreement, or an adequacy decision. Describe in the notes section which mechanism is used for which instances of data transfer.
Domain J Question
3
03) Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?
Answer yes if your organisation has received a request from any government or other authority to provide access to personal data. Provide information about the nature, volume and origin of requests, including how many you complied with in the notes section, or through supporting evidence (e.g. a link to your transparency report or a document upload).
Domain J Question
4
04) Does your organisation have a nominated Data Protection Officer (DPO)?
Answer yes if your organisation has a nominated Data Protection Officer (DPO) who undertakes regular compliance checks and leads on continual privacy improvement. Describe in the notes section details about how your DPO monitors compliance with relevant data protection obligations.
Domain J Question
5
05) Does your organisation have an up-to-date Data Protection Policy?
Answer yes if your organisation has a Data Protection Policy that has been reviewed in the last year. Upload your Data Protection Policy as evidence.
Domain J Question
6
06) Does your organisation maintain a record of all personal data collection & processing activities?
Answer yes if you document your personal data processing activities. This could be through data flow diagrams or written documentation and should include details of collection, purpose, storage, access, use, sharing, and retention. Describe how you do this in the notes.
Domain J Question
7
07) Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?
Answer yes if your organisation has documented the legal justification for processing personal data in each instance. The criteria for a valid lawful basis will depend on your jurisdiction.
Domain J Question
8
08) Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?
Answer yes if your organisation conducts a Data Protection Impact Assessment (DPIA) for all processing of personal data that is likely to result in a high risk to individuals. To find out more about Data Protection Impact Assessments, see the Risk Ledger Knowledgebase.
Domain J Question
9
09) Can your organisation facilitate an individual's data privacy rights?
Answer yes if your organisation has the correct processes in place to be able to provide the relevant individual data privacy rights to all of the data subjects for whom you hold data (e.g. the right to subject access, the right to erasure…).
Domain J Question
10
10) Does your organisation have a Records Retention Policy?
Answer yes if your organisation has a Records Retention Policy that has been reviewed in the last year. Upload your Records Retention Policy evidence.
Domain J Question
11
11) Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?
Answer yes if organisation has robust detection, investigation and reporting procedures in place for all personal data breaches. This should include assessing the likely risk to individuals as a result of the breach, informing affected individuals without undue delay, and documenting the facts surrounding personal data breaches in a Breach Log. Provide details about your processes surrounding a personal data breach in the notes section, including uploading any relevant documentation.
Domain J Question
12
12) Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?
Answer yes if your organisation has a documented process for notifying the relevant Authority for your jurisdiction and all data controllers or other relevant parties when it becomes aware of a security breach involving Personal Data.
Domain J Question
13
13) Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?
Answer yes if your organisation has had a security incident that led to a Personal Data breach in the last 6 months. If you answered yes, describe the nature of the breach in the notes section and attach a root causes analysis report for each listed breach.
Domain J Question
14
14) Does your organisation process personal data on behalf of another organisation?
Answer yes if your organisation processes personal data on behalf of another organisation where they are the data controller and you are the data processor.
Domain J Question
15
15) Does your organisation have procedures in place to inform and obtain authorisation (if required) from the data controller before engaging a sub-processor?
Answer yes if you have ways to ensure that new sub-processors are authorised by or communicated to the data controller before the new sub-processing takes place. Upload evidence or describe how this is ensured in the notes.
Domain J Question
16
16) Does your organisation ensure that processing activities are only carried out under the documented instructions of the data controller?
Answer yes if you have processes or policies which ensure data is only processed in the way in which your data controller has requested, and you have written instructions from the controller describing this. Describe in the notes how you obtain these instructions from data controllers and how you ensure data is not processed in any way outside of the documented written instructions.
Domain K Question
1 (AI)
01) Does your organisation have a documented AI Policy?
Answer yes if your organisation has a documented AI Policy that describes your organisations’s approach to using AI, including information such as, but not limited to: governance, roles and responsibilities, and policies describing the responsible use of AI technologies. Upload the AI Policy as evidence. In addition, if your policy adheres to any AI risk management frameworks (e.g. ISO/IEC 42001, EU AI Act, NIST AI RMF), state this in the notes section and upload relevant documentation as evidence.
Domain K Question
2 (AI)
02) Does your organisation use Machine Learning or Generative Artificial Intelligence (AI) models for internal use-cases?
Answer yes if Machine Learning or Generative AI models are used anywhere within your organisation. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people use (e.g. Google Gemini or Microsoft’s Copilot). Unless it has been specifically prohibited and the restriction technically enforced, it is likely that AI is being used somewhere within your organisation and you should answer yes to this question.
Domain K Question
3 (AI)
03) Has your organisation conducted a risk assessment of each internal use of AI models?
Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI-supported service that is used, including both internally developed and supplier-provided services. Examples of risk assessment considerations include: how the LLM service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output. Upload supporting document(s) evidencing the assessment(s), or describe the assessment(s) in the notes section.
Domain K Question
4 (AI)
04) Is any of your information or data (e.g. prompts) used to train AI models?
Answer yes if any of the AI-supported services used by your organisation use your organisational data and information to train the AI models. Where information is used for AI training, describe any controls you have in place to mitigate risks related to your confidential or sensitive data being stored and re-used.
Domain K Question
5 (AI)
05) Do you have processes in place to ensure your service user evaluates the AI model responses before use?
Answer yes if you have ensured, as far as you are able, that your people (employees, managed contract resources or anyone else acting on behalf of your organisation) have reviewed and evaluated the AI model output before use. These processes should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making. Describe how you ensure this human review takes place in all circumstances or upload supporting documentation.
Domain K Question
6 (AI)
06) Where automated decision-making technologies are used, are technical and/or procedural guardrails implemented to prevent actions that could adversely impact critical systems or services?
Answer yes if guardrails are in place to restrict the automatic implementation of outputs from any automated decision-making technologies (ML, AI agents, etc.), that might have an adverse impact on critical systems or services.
Domain K Question
7 (AI)
07) Where automated decision-making technologies are used, can system or service configuration decisions be reproduced through testing with identical inputs and do you retain sufficient records to identify any variance in decisions?
Answer yes if you have the capability to review output from automated decision-making technologies (ML, AI agents, etc.), perform testing to reproduce expected outcomes, and retain sufficient records of relevant input and output to support the identification of unexpected or inconsistent results.
Domain K Question
8 (AI)
08) Does your organisation use Machine Learning or Generative Artificial Intelligence (AI) models in any services provided to clients or is client data otherwise exposed to AI models?
Answer yes if Machine Learning or Generative AI models are used anywhere within the services provided to your clients or anywhere that might touch client data. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people may use (e.g. Google Gemini or Microsoft’s Copilot), if they are used to provide client services. If AI is used within some, but not all of the services you provide, you should answer yes. Describe in the notes section which of your services use AI and a brief description of where and how AI is used in each service.
Domain K Question
9 (AI)
09) Has your organisation conducted a regulatory compliance and security risk assessment of how your AI or AI-supported service processes and responds to client data and information?
Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI or AI-supported service you provide. Examples of what should be considered in each risk assessment include: how the LLM service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output. Upload supporting document(s) evidencing the assessment(s), or describe the assessment(s) in the notes section.
Domain K Question
10 (AI)
10) Do your AI or AI-supported service(s) encourage service users to evaluate the AI model’s responses before use?
Answer yes if you have ensured, as far as you are able, that the users of your service have reviewed and evaluated the AI model output before use. The measures you have put in place should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making. Depending on the service, this could include tagging output as 'AI generated' or providing workflows to enable the review. Upload a supporting document outlining how you have enabled this, or describe the measures you have put in place in the notes section.
Domain K Question
11 (AI)
11) Is client data processed by the AI model discarded and erased from memory when processing of that data has completed?
Answer yes if client data processed by the AI model is discarded at completion of each defined processing purpose (for example, text input discarded after the processing of each specific Large Language Model prompt). Describe, for example, the purpose of processing, the expected duration in memory and erasure actions applied to ensure the removal of clients' potentially sensitive data and the integrity of data processed in the next cycle. If client data is retained longer than the defined purpose, outline how that is stored (for example the expected duration in a database) and the purpose of storage. Upload a supporting document outlining the process, or describe the process in the notes section as evidence.
Domain K Question
12 (AI)
12) Is sensitive data (including personal or confidential data) removed, masked or otherwise prevented from being input into AI models for all services you provide?
Answer yes if you have controls in place to ensure that sensitive data is not processed by AI. This could include any data that has been defined by your customers as confidential, for example intellectual property or commercially sensitive information, in addition to personal information. These controls may include identifying and pre-treating data before AI processing or other controls to prevent the input of certain information. Describe how this is achieved in the notes section.
Domain K Question
13
13) Is client data and information (e.g. prompts) used to train AI models?
Answer yes if any client data is used to train your AI model, or external AI models used to provide supplier services. Describe which client data may be used to train AI models and how this is communicated to those clients.
Domain K Question
14
14) Does your organisation have a formal AI model change management process that gives consideration to information security and regulatory requirements and includes notification to relevant clients?"
Answer yes if your organisation has a formal change management process that includes a step to assess any security or legal compliance risks that the change may impact, requires a rollback plan, and includes processes for notifying relevant clients of the changes and any consequential processing differences. Change management can apply if either the AI model is updated, or the data applied to the model is changed (e.g. the model is applied to support new services processing different client data). Upload a copy of your AI change management process, or describe the process in the notes section.
Domain K Question
15
15) Does your organisation have processes in place to identify, triage and remediate the effects of AI model updates?"
Answer yes if your organisation evaluates the effects of changes of the underlying AI Model, whether that model is created and maintained by you or is adopted and applied from an external source (e.g. Amazon Bedrock AI as a Service). Change impacts can include changes in output accuracy or bias and the potential need to reprocess historic data for analysis consistency. Describe how you evaluate the effects of these changes or upload supporting documentation.
Domain L Question
1
01) Does your organisation have any certifications or audit reports that cover environmental, social or governance issues (such as ISO 14001, ISO 45001 or B Corporation certification)?
Answer yes if your organisation has obtained any certifications or any external audit reports which cover any environmental, social or governance issues. Please state the certification or report in the notes and please upload a PDF of the relevant certification or report as evidence.
Domain L Question
2
02) Does your organisation have a documented Environmental Management policy?
Answer yes if your organisation has a documented environmental management policy that looks to minimise your organisation's impact on the environment. The policy must have undergone senior management review and approval within the last year. Please upload the policy (as a PDF file) as evidence.
Domain L Question
3
03) Does your organisation publicly share metrics related to your Environmental, Social & Corporate Governance?
Answer yes if your organisation publicly shares information and metrics about your environmental and social impact. Please upload a copy of the latest report as evidence or provide a link to it.
Domain L Question
4
04) Does your organisation conduct any activities that might be deemed as hazardous to the environment?
Answer yes if your organisation conducts any activities that could be perceived to be hazardous to the environment. This could include but is not limited to mining, construction, demolition, manufacturing, chemical processing, or fossil fuels. Please describe your business activities in the notes.
Domain L Question
5
05) Has your organisation received any adverse media coverage, legal action, penalties or sanctions for environmental reasons?
Answer yes if your organisation has been subject to any adverse media coverage or legal action relating to environmental concerns or if your organisation has received any penalties or sanctions for environmental reasons. Please include details in the notes.
Domain L Question
6
06) Does your organisation measure its scope 1, scope 2, or scope 3 emissions as per Greenhouse Gas (GHG) Protocol standards?
Answer yes if your organisation measures your scope 1, scope 2, or scope 3 emissions as defined by Greenhouse Gas (GHG) Protocol. If you only measure your scope 1 or 2 emissions, please still answer yes and provide the relevant information in the following questions.
Domain L Question
7
07) What are your scope 1 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 1 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 1 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Domain L Question
8
08) What are your scope 2 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 2 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 2 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Domain L Question
9
09) What are your scope 3 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 3 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 3 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Domain L Question
10
10) Is your organisation working towards a net zero carbon emissions target?
Answer yes if your organisation is proactively working towards achieving net zero carbon emissions. Please attach your Carbon Reduction Plan (or similar) if you have one.
Domain L Question
11
11) When do you expect to achieve net zero carbon emissions?
Please state the year in which you expect your organisation to achieve net zero carbon emissions.
Domain L Question
12
12) Does your organisation have a documented Health & Safety Policy?
Answer yes if your organisation has a documented Health & Safety policy. Please upload the policy (as a PDF file) as evidence.
Domain L Question
13
13) Does your organisation have a senior manager or board member who is responsible for your Health & Safety Programme?
Answer yes if your organisation has an appointed resource that is responsible for the design and delivery of your company's health and safety programme. This is typically a health and safety officer. In the notes, please outline the job role and whether or not this is a dedicated full time position.
Domain L Question
14
14) Does your organisation have an established and consistent framework for Health and Safety which includes provisions to ensure a safe and hygienic working environment for all of your personnel, in accordance with local health and safety laws and industry best practices?
Answer yes if your organisation has implemented a framework for managing health and safety compliance across your company. The framework must include health and safety awareness initiatives (such as posters), a risk assessment programme, a defined and auditable reporting process, and relevant and valid insurance policies (in the UK this is covered by your employers liability insurance). Please describe how you manage Health & Safety in the notes.
Domain L Question
15
15) Does your organisation work to a committed code of business ethics which includes ethical labour practises?
Answer yes if you commit to the standards set out in a publicly recognised code of ethics such as the Ethical Trading Initiative (ETI) Base Code or if your organisation has developed and abides by its own code of ethics covering labour practises. Please give more details in the notes section.
Domain L Question
16
16) Does your organisation ensure compliance with all applicable human rights laws and regulations?
Answer yes if your organisation is fully compliant with all applicable human rights laws and regulations. This may include, but is not limited to, the International Bill of Human Rights, the UK Modern Slavery Act 2015, and the EU working time directive. Please note that these laws and regulations may require further actions from your organisation to ensure compliance. Please describe how you comply in the notes section and upload evidence of relevant policies, processes or compliance documents.
Domain L Question
17
17) Does your organisation have policies and procedures in place that ensure the prevention of modern slavery?
Answer yes if your organisation has policies and accompanying procedures in place to prevent modern slavery in your own organisation and within your supply chains. Relevant policies may include: Supplier code of conduct, Migrant worker policy, Child labour policy, Human rights policy, Recruitment policy, Procurement policy, Employee code of conduct, Policies concerning access to remedy, compensation and justice for victims of modern slavery, Policies that relate to staff training and increasing awareness of modern slavery, Policies that relate to worker wages, welfare and living standards. Please include in the notes details of your policies and procedures and upload the relevant documents (as PDF files) as evidence.
Domain L Question
18
18) Have any incidences of modern slavery been recorded or uncovered within your organisation or supply chains in the past 12 months?
Answer yes if there have been any suspected or confirmed cases of modern slavery within your organisation or within your supply chain in the past 12 months. Please include in the notes details about how the incidences were identified, investigated and what action was taken.
Domain L Question
19
19) Does your organisation provide a grievance mechanism for workers to raise workplace concerns?
Answer yes if your organisation has a mechanism in place (backed up by a written policy document with a defined process) that allows employees and contractors to address grievances relating to their employment. Please upload the policy document (as a PDF file) as evidence.
Domain L Question
20
20) Does your organisation have a documented diversity and inclusion policy?
Answer yes if your organisation has a documented diversity and inclusion policy that outlines the organisation's commitment to providing an inclusive and supportive environment for staff, contractors and visitors that is free from discrimination.
Domain L Question
21
21) Does your organisation provide a confidential method (also known as a whistleblowing procedure) for employees and contract staff to freely report any perceived issues that might impact your clients or their customers?
Answer yes if your organisation has a defined and documented procedure that enables employees and contract staff to report any incidents or perceived issues confidentially. This is typically provided through a confidential phoneline or email address. Please outline the process in the notes section provided, or upload a policy or process document (as a PDF file) as evidence.
Domain L Question
22
22) Does your organisation clearly inform employees and contract staff how to access and utilise the whistleblowing procedure to confidentially report any issues?
Answer yes if your organisation clearly informs all employees and contract staff how to access and utilise the whistleblowing procedure.
Domain L Question
23
23) Does your organisation conduct regular assurance activities against its suppliers to ensure they are operating in line with your own environmental, social and governance policies, including checking that they are compliant with relevant laws and regulations?
Answer yes if your organisation conducts regular (e.g. quarterly, annually) supplier assurance to ensure your suppliers meet the same standards of environmental management, social responsibility, and governance that is expected of your organisation, and that they are compliant with all applicable laws and regulations. Describe the nature and frequency of the assurance activities in the notes.
Framework Domains

05) Does your organisation conduct threat modelling throughout the SDLC, incorporating an up to date understanding of threats, for each app or system build?

August 30, 2022
Software Development
Threat Modelling

Answer yes if your organisation conducts threat modelling when designing each app or system. Describe in the notes how threat modelling is integrated throughout your SDLC or upload a supporting document (for example, a template threat modelling report) as evidence.

What is it?

Threat modelling is a proactive security exercise to understand the mindset of a malicious actor and how they might attempt to exploit an application or system. Modern security best practices recommend threat modelling to be integrated throughout the entire Software Development Life Cycle (SDLC). This ensures that as code changes and new features are added throughout the application’s lifespan, the security posture evolves alongside the application.

Why should I have it?

Unlike input/output validation, vulnerability scans, and other code-related security checks, threat modelling typically applies primarily to the architectural aspects of software. While the former helps protect individual functions by making sure they are used as intended, ongoing threat modelling helps guide the overall architectural design and identify the individual functions to be checked and validated.

Continuously updating your threat model ensures that your security controls remain up to date against an ever-evolving set of tools, tactics, and procedures used by malicious actors.

How to implement the control

In order to implement effective threat modelling, any software development project should have defined security requirements as per your existing policies. The requirements brief should include all types of data used by the application and all the requirements of the application itself in order to properly assess the security risks.

A threat modelling approach that suits your project and development framework should be defined and then applied in an iterative and continuous fashion throughout the SDLC. This ensures that the architecture remains secure against current and emerging threats even as the application changes.

This process should be repeated for every project and major update until a final secure architecture is agreed and all important functions are validated for security robustness.There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing a secure SDLC that includes continuous threat modelling in a way that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.

Book a demo
Support
Framework
Domains
E
5
© 2025 Risk Ledger Ltd
CookiesPrivacy PolicyTerms of ServiceSecurity ProfileVulnerability Disclosure Policy