Data Protection

Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, add the date of your last review to the notes.

Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Confirm the role and its responsibilities in the notes or upload a job role description as evidence.

Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Upload the Information Security Policy as evidence.

Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Upload the Mobile Device Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Provide the Remote Working Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Upload the Acceptable Use Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Upload the Information Classification Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Upload the Access Control Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Upload the Cloud Services Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Upload the Password Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes. Also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.

Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Upload the Backup Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Upload the Clear Desk and Screen Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.

Answer yes if your organisation subjects the use of removable media to compensatory controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, state the nature of these controls within the notes.

Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).

Answer yes if all of your organisation's security policies are reviewed and approved by senior management.

Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Upload the documented roles as evidence.

Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).

Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).

Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Provide information on the frequency of the audits in the notes.

Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.

Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Upload a template NDA or confidentiality agreement as evidence.

Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.

Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.

Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, describe how you collect, analyse and use threat intelligence within your organisation, or upload a document as supporting evidence.

Answer yes if your organisation has been certified to an information security standard (such as PCI DSS, Cyber Essentials or ISO27001) or has completed an information security audit such as a SOC2.

Answer yes if your organisation is certified to the first level Cyber Essentials scheme. Upload your Cyber Essentials certificate as evidence.

Answer yes if your organisation has been certified to the Cyber Essentials Plus scheme by a relevant certification body. Upload your Cyber Essentials Plus certificate as evidence.

Answer yes if your organisation has a current, valid ISO 27001 certification. Upload your ISO 27001 certificate and Statement of Scope as evidence and copy the certificate scope statement into the notes section. If appropriate, also upload your Statement of Applicability. State your accreditation body in the notes section.

Answer yes if your organisation is aligned with the NIST Cybersecurity Framework.

Answer yes if your organisation performs any activities or may otherwise impact the security of cardholder data or related sensitive authentication data related to payment processing. Cardholder data includes data such as the Primary Account Number, Cardholder Name, Expiration Date, and Service Code. Sensitive authentication data includes data such as full track data, card verification code, PINs, etc.

Answer yes if your organisation’s relevant services or environments have been validated through either: (1) a Self Assessment Questionnaire (SAQ), or (2) a Report on Compliance (RoC) if performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). Upload the Attestation of Compliance (AOC) and the Shared Responsibility Matrix.

Answer yes if you have a defined process for monitoring the PCI DSS compliance status of any relevant TPSPs. For applicable TPSPs, provide their AoC.

Answer yes if background checks are conducted against staff before they join your organisation. In the notes section, describe the types of checks (e.g. employer reference, criminal records, BPSS, CTC, SC, DV) conducted for which roles or upload a supporting document as evidence.

Answer yes if your organisation's employment contracts include a clause in which the employee must consent to abiding by all of your organisation's security policies. Upload a template contract as evidence or copy the clause into the notes section.

Answer yes if your organisation runs an information security and data protection training programme for all of your employees and third-party contractors. Describe the nature and frequency of the training programme in the notes section, including any additional training provided to staff with greater responsibility, more privileged system access or access to confidential data.

Answer yes if your organisation has a formal disciplinary process that is followed if an employee is found to have intentionally breached company policy. Upload a document outlining the process as evidence (this may be covered by your organisation's Disciplinary Policy).

Answer yes if your organisation has a process in place to source additional staff if one of your organisation's employees is not available for an extended period of time. Describe the process in the notes section.

Answer yes if your organisation keeps an up-to-date inventory of all hardware and software assets within your IT estate, including cloud services. The inventory must list an owner against each asset. It should also list other details about the assets such as version numbers, business usage & location. Include details in the notes.

Answer yes if your organisation keeps an up-to-date inventory of all data repositories within your IT estate, including any hosted within cloud services. The inventory must list an owner against each asset.

Answer yes if your organisation has a formal process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).

Answer yes if your organisation has a formal process that ensures all access to your organisation's systems & information (this includes, but is not limited to corporate endpoints, networks, offices and third party services) is removed when employees, contractors and third party users leave the organisation and is updated when they change roles. Describe these processes within the notes and/or upload any relevant evidence.

Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Describe the provisioning process in the notes or upload a supporting document as evidence. If any generic or shared accounts are used, specify what these are used for and any processes you have in place to minimise their usage.

Answer yes if your organisation enforces multi-factor authentication on all remotely accessible services that are used internally or provided externally (e.g. to customers or the public). This includes internal IT services, third-party apps or systems provided externally (e.g. client portals, apps, public services). In the notes section, describe where MFA is enforced, where it is available but not enforced, and where it is not available. You can add different answers for different products.

Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Describe the provisioning process in the notes or upload a supporting document as evidence.

Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. This should include audit of any shared or generic accounts. Describe the audit process in the notes section or upload a supporting document as evidence.

State the number of times access audits are completed for users each year.

State the number of times access audits are completed for users each year.

Answer yes if your organisation has systems and/or processes in place to help ensure privileged accounts are only used for the intended purposes, in a secure way. This could include the use of administration proxies (jump boxes or bastion hosts), Privileged Access Workstations (PAWs), temporary credentials, additional approval processes, or ensuring privileged accounts are not used for normal business activities, such as email or web-browsing. Describe your PAM controls in the notes section or upload a supporting document as evidence.

Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to re-authenticate.

State how long a user must be inactive for (in minutes) before the systems lock. If times vary between systems, state the highest value and describe the others in the notes.

Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.

Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.

Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Describe how your secure configuration process is performed, including both automated and manual checks. Upload any relevant documentation as evidence.

Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.

Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Describe the process in the notes section or upload a supporting document as evidence.

Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates and are configured to scan files regularly (at least daily). Provide details of your malware protection solutions in the notes.

Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of app whitelisting on servers). Describe the nature of the controls in the notes.

Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems, including desktop PCs, laptops & mobile devices. This could be done through the use of app whitelisting, restricting user installation rights, device management software etc. Describe the nature of the controls in the notes.

Answer yes if your organisation enforces full-disk encryption on all endpoint devices it provisions. In the notes, include details of the encryption algorithm(s) used and how this is enforced.

Answer yes if your organisation has a process and technical solution that allows for any endpoint device provisioned or owned by your organisation to be remotely wiped.

Answer yes if your organisation allows employees or contractors to have apps or services that access company data on their personally-owned devices (e.g. mobile phones, tablets, laptops), commonly known as a Bring Your Own Device (BYOD) policy.

Answer yes if your organisation enforces security controls on BYOD endpoint devices to an equivalent standard of the security controls on organisation-issued devices, before access to company data or services is granted. For example, this could be done through the use of containerised MDM or UEM software. In the notes, describe the nature of the controls, the method of enforcement and any related processes. If there is a difference in the level of control between organisation-issued devices and BYOD, describe that in the notes section, including any compensating controls.

Answer yes if your organisation has a process and technical solution that allows organisation data to be remotely wiped from any employee-owned device.

Answer yes if your organisation encrypts client data on its IT systems. State the encryption algorithm used in the notes.

Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance. Describe your patch management processes in the notes including how you ensure all systems are in scope, or upload supporting documents.

Answer yes if your organisation uses any IT systems that include applications, operating systems or hardware (including servers, network equipment or user devices) for which the vendors do not provide regular security updates. In the notes, describe how you discover and manage these systems, including any compensatory controls you have in place to protect them and any plans for decommissioning or replacement.

Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Describe the process in the notes section or upload a supporting document as evidence.

Answer yes if your organisation takes regular backups of its production data that cannot be altered, deleted or tampered with for a specified time period. Backups must be taken in line with best practice guidelines, for example by following the '3-2-1' rule and segregating the backups from your main environment. Describe your backup processes including segregation, frequency, and any other controls in place.

Answer yes if your organisation encrypts the backups using appropriate cryptographic standards to prevent unauthorised access to the data. State the encryption algorithm used in the notes section.

Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. State the frequency of the tests in the notes section.

Answer yes if your organisation uses opportunistic TLS by default and has the capability to configure enforced TLS on email services to specific domains if requested.

Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. State the type of DMARC policy set.

Answer yes if your organisation has any form of Data Loss Prevention (DLP) controls in place to ensure only authorised data is transferred outside of your organisation. Describe the controls you have in place and how these are managed.

Answer yes if your organisation has any form of Data Loss Prevention (DLP) controls in place to ensure only authorised data is transferred outside of your organisation. In the notes, please describe the controls you have in place and how these are managed.

Answer yes if your organisation designs, develops, or maintains any app, website, or systems, both internal or external.

Answer yes if your organisation controls access to its app source code. This is typically done by using a code repository with robust access controls implemented, including maintaining an audit log of all access.

Answer yes if your organisation has implemented a secure SDLC (Software Development Lifecycle) that includes a security risk assessment. Describe your SDLC process in the notes, highlighting any security input, or upload a supporting document as evidence.

Answer yes if your organisation's developers are instructed to build apps and systems using defined security best practice (for example, as defined by OWASP, The Open Web Application Security Project). Describe in the notes the best practice guidance followed and if your developers receive any additional security training.

Answer yes if your organisation ensures that all of its apps have data validation implemented on their data inputs and outputs.

Answer yes if your organisation conducts threat modelling when designing each app or system. Describe in the notes how threat modelling is integrated throughout your SDLC or upload a supporting document (for example, a template threat modelling report) as evidence.

Answer yes if your organisation ensures that all of its apps and systems (that are developed/built in-house) use industry best practice for authentication, and that all passwords are stored as hashes using secure hashing algorithms rather than as plain text. In the notes section, where relevant, state the name of the authentication provider used.

Answer yes if your organisation performs security testing of all apps & systems during the build process. Describe the security testing performed which could include, but is not limited to Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Infrastructure security testing.

Answer yes if your organisation uses segregated environments for the development of apps, the testing of apps, and the hosting of production systems that handle live data. Describe in the notes the nature of the segregation (logical/physical).

Answer yes if your organisation has made it policy to only use test data (rather than live production data) that contains no personal data when testing its IT systems. If not, describe the reason why and whether or not you have any other mitigating controls in place.

Answer yes if your organisation produces or receives regular security updates for any apps it develops and hosts, and that it ensures all apps procured from vendors are also supported with regular security patches.

Answer yes if your organisation conducts regular penetration tests of any apps or systems that it develops and remediates the findings. Describe how often penetration tests take place.

Answer yes if your organisation ensures that any apps or systems developed have appropriate logging mechanisms implemented (for example, as defined by OWASP, the Open Web Application Security Project).

Answer yes if your organisation can demonstrate the composition and provenance of the software it develops, including any third-party or open-source components. Upload supporting evidence such as, but not limited to: a software inventory, dependency lists, or a software bill of materials (SBOM).

Answer yes if your organisation has processes or tools in place to regularly monitor software components for newly disclosed vulnerabilities throughout the software lifecycle. This includes identifying relevant vulnerabilities, understanding the potential impact to you, and assessing any necessary actions.

Answer Yes to this question if:Your organisation maintains (or is responsible for maintaining) a physical or cloud-hosted network that allows user devices to connect and communicate with any data storage or processing services;Your organisation maintains any physical or cloud-hosted application or service delivery infrastructure;Your organisation uses a public cloud to host applications or services where you are responsible for implementing security controls within that environment, guided by the host’s shared security responsibility model (e.g. AWS, GCP and Azure)

Answer yes if your organisation has secured all of the ingress and egress points of its corporate network and IT environments (cloud-based or otherwise) with firewalls - whether as discrete appliances or as cloud-hosted network security service functions.

Answer yes if the firewalls were implemented with a 'deny all' policy, and each rule was only added when a business requirement was identified, documented and approved by an authorised individual.

Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. State the date of the last review.

Answer yes if all web applications hosted by your organisation are protected with WAFs (web application firewalls) - whether as discrete appliances or as cloud-hosted network security service functions. If your organisation does not host any web applications, answer 'No' and state this in the notes section.

Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.

Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. State the date of the last review.

Answer yes if your organisation has appropriately segregated its network or cloud environments to restrict the level of access to sensitive information, hosts, and services. Examples include segregation of production systems from systems being commissioned or decommissioned and systems under test; segregation of systems with different security levels (e.g. those processing sensitive personal data or financial data are segregated from other business systems) and segregation or segmentation of services used by different subsidiary organisations.

Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).

Answer yes if your organisation has implemented controls to protect its services against DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Describe the nature of these controls in the notes section.

Answer yes if your organisation forces all remote connections to its network infrastructure or cloud environment to be secured with a suitable solution such as a VPN or SSH connection. Describe the nature of these controls in the notes section, both technical and procedural.

Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic including APIs and SFTP for file transfers). Describe the nature of these controls in the notes section, both technical and procedural.

Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Describe the process in the notes section, or upload a supporting document as evidence.

State the number of automated scans completed every year.

Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.

Is each of the approved network connections subject to a risk assessment?

Answer yes if your organisation undertakes a regular review of network connections (e.g. annually) in which it removes any redundant connections and makes sure that all of the connections are relevant to its business operations.

Answer yes if your organisation conducts regular external automated vulnerability scans of its public IP infrastructure and remediates the findings.

Please state the number of automated scans completed every year.

Answer yes if your organisation conducts regular automated vulnerability scans of its internal IP infrastructure and remediates the findings. This may include scanning assets in a private local network or using a cloud service provider’s tools to scan for vulnerabilities in your cloud infrastructure.

State the number of automated scans completed every year.

Answer yes if your organisation conducts regular penetration tests of your public facing IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. Describe in the notes how often these tests are completed. Upload your last pentest report summary (not the detailed findings) as evidence.

Answer yes if your organisation conducts regular penetration tests of your internal IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. The test should assume that perimeter controls have been compromised, for example that a legitimate internal user’s credentials have been stolen and re-used. The test should assess a threat actor’s ability to reach assets and information, including opportunities to elevate privileges to gain access. The results of the tests can inform improvements to IT systems and infrastructure, for example improved subnet segregation and role access privileges and controls. Describe in the notes how often these tests are completed. Upload your last pentest report summary (not the detailed findings) as evidence.

Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Describe your process(es) in the notes section.

Answer yes if your organisation has implemented any network or cloud monitoring solutions (either in house or via a third party service provider). Describe which solutions you have in place and the coverage they have over your network(s) or cloud environment(s).

Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Describe your processes for different types of security logs and events in the notes section.

Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Describe the controls in the notes section.

Answer yes if your organisation records and stores user activity logs for its IT production systems, network devices and endpoint devices.

State how many months the logs are kept for.

Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.

State how many months the logs are kept for.

Answer yes if your organisation stores all recorded logs on dedicated servers that are logically separate from your production systems, and hardened.

Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of business critical applications to their target managed environment (cloud or on-prem) to ensure there are no adverse impacts on operations or the security of your IT estate. Describe the nature of the testing process in the notes or upload a supporting document as evidence.

Answer yes if your organisation has registered with NCSC's Early Warning Service to receive notifications of potential threats to your network.

Answer yes if your organisation uses any physical premises in order to provide your services, products or to run your operations. This could include, but is not limited to, office space, warehouses, or data centres. It includes data centres used to host cloud services provided by your organisation, even if you do not have direct control of those premises. It also includes office space used by your people, even if you are a cloud-first organisation.

Answer yes if your organisation has implemented a secure physical perimeter around all of its physical locations. Upload a Physical Security Policy document as evidence or reference a section of a previously uploaded security policy in the notes.

Answer yes if your organisation uses CCTV cameras on all of its premises entry and exit points.

State the number of days that the CCTV footage is kept for. If different retention times are used depending on the CCTV system, state the different retention times in the notes and enter the lowest retention time in the answer box.

Answer yes if your organisation uses an access control system to control the movement of people in and out of its physical premises, and if this system keeps a digital log of access.

State the number of months that the access logs are kept for. If different retention times are used depending on the access control system, state the different retention times in the notes and enter the lowest retention time in the answer box.

Answer yes if all of your organisation's physical premises are secured with an alarm that once triggered, is investigated either by a private security team or the police.

Answer yes if all of your organisation's physical premises are staffed 24/7 by an onsite security team, reception team, or both. If security is present for some hours (not 24/7), answer no and state in the notes section the times during which the premises are staffed.

Answer yes if your organisation uses a physical or digital system to record the arrival of visitors, and the time at which they leave the premises.

Answer yes if your organisation requires all visitors to undergo an ID check on arrival to ensure that they are the person that they claim to be.

Answer yes if your organisation uses controls (such as Uninterruptible Power Supplies, UPS) to protect sensitive equipment from power failures.

Answer yes if your organisation disposes of all confidential paper waste in a secure manner (typically either by shredding or incineration), or if a third party is used to dispose of the waste securely.

Answer yes if all of your organisation's physical premises are staffed 24/7 by an onsite security team, reception team, or both. If security is present for some hours (not 24/7), answer no and state in the notes section the times during which the premises are staffed.

Answer yes if your organisation's Incident Response Plan contains a section for classifying information security events. Reference the section of any previously uploaded plan in the notes.

Answer yes if your organisation's Incident Response Plan contains an assessment of impact to legal and regulatory compliance. Reference the section of any previously uploaded plan in the notes.

Answer yes if your organisation's Incident Response Plan contains a section defining roles and responsibilities in an information security event. Reference the section of any previously uploaded plan in the notes.

Answer yes if your organisation's Incident Response Plan contains a section for alternative communication methods. Reference the section of any previously uploaded plan in the notes.

Answer yes if your organisation has a cyber incident response capability that it can call upon in the event of an incident. This can be an in-house capability or provided by a third party or cyber insurance provider.

Answer yes if your organisation has a documented process for reporting information security incidents, or suspected information security incidents (this is typically via an IT helpdesk). Describe the process in the notes, or upload a process document as evidence.

Answer yes if your organisation has a documented process for reporting information security breaches to all affected Clients within 72 hours of the breach being discovered. Describe the process in the notes, or upload a process document as evidence.

Answer yes if your organisation completed a root cause analysis for all security incidents that are reported, and implements any lessons learnt after each analysis has been completed. Upload a template root cause analysis document as evidence.

Answer yes if your organisation has a documented business continuity plan that has been reviewed and approved by senior management in the last year. Upload the Business Continuity Plan as evidence.

Answer yes if your organisation has assessed the potential business-disruptive risks and used this assessment to inform your Business Continuity Plan. This process may involve conducting a Business Impact Analysis (BIA) for certain scenarios. Upload the business continuity risk summary as evidence or reference a section of a previously uploaded document in the notes section.

Answer yes if your organisation's Business Continuity Plan includes the required steps to backup and restore the data used by your organisation for day to day operations and the data your clients may have transferred to you for processing, including the outcomes of that processing. This may include defining and agreeing the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for certain services.

Answer yes if your organisation's Business Continuity Plan includes the required steps to continue business operations from an alternate location if the normal business location is inaccessible.

Answer yes if your organisation's Business Continuity Plan includes information describing the maintenance of security controls in the event of a disaster.

Answer yes if your organisation runs rehearsal of its Business Continuity and Disaster Recovery plans regularly (e.g. annually) involving all parties, including senior operational leaders. Upload a report that details the last two tests to take place. In the notes section, describe the nature of the exercises (e.g. desktop exercises, partial or whole practical/technical service restoration and recovery) and who was involved. Also describe the outcome of the rehearsals, e.g. plans have been updated and re-issued with all material findings addressed.

Answer yes if your organisation has specified Recovery Time Objectives (RTO) and / or Recovery Point Objectives (RPO) for any of your services.

Enter your Recovery Time Objective (RTO). If you have different RTOs for different services, enter the longest RTO and provide details in the notes section.

Enter your Recovery Point Objective (RPO). If you have different RPOs for different services, enter the longest RPO and provide details in the notes section.

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the requirements of the relevant data protection regulations (e.g. GDPR, Australian Privacy Act, US State Law).

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that contains appropriate security clauses including the right to audit and mandatory adherence to appropriate security policies.

Answer yes if your organisation assigns each supplier with a criticality rating that is based on a corresponding business impact assessment.

Answer yes if your organisation has documented the baseline level of security controls that it expects its suppliers of different criticalities to adhere to. The Risk Ledger platform can be used for this - get in touch!

Answer yes if your organisation checks that each supplier has the required level of security in controls in place before it enters into a contract with them. The Risk Ledger platform can be used for this - get in touch!

Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Provide details of your current process. The Risk Ledger platform can make this easier for you - get in touch!

Answer yes if your organisation has a documented AI Policy that describes your organisations’s approach to using AI, including information such as, but not limited to: governance, roles and responsibilities, and policies describing the responsible use of AI technologies. Upload the AI Policy as evidence. In addition, if your policy adheres to any AI risk management frameworks (e.g. ISO/IEC 42001, EU AI Act, NIST AI RMF), state this in the notes section and upload relevant documentation as evidence.

Answer yes if Machine Learning or Generative AI models are used anywhere within your organisation. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people use (e.g. Google Gemini or Microsoft’s Copilot). Unless it has been specifically prohibited and the restriction technically enforced, it is likely that AI is being used somewhere within your organisation and you should answer yes to this question.

Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI-supported service that is used, including both internally developed and supplier-provided services. Examples of risk assessment considerations include: how the LLM service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output. Upload supporting document(s) evidencing the assessment(s), or describe the assessment(s) in the notes section.

Answer yes if any of the AI-supported services used by your organisation use your organisational data and information to train the AI models. Where information is used for AI training, describe any controls you have in place to mitigate risks related to your confidential or sensitive data being stored and re-used.

Answer yes if you have ensured, as far as you are able, that your people (employees, managed contract resources or anyone else acting on behalf of your organisation) have reviewed and evaluated the AI model output before use. These processes should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making. Describe how you ensure this human review takes place in all circumstances or upload supporting documentation.

Answer yes if guardrails are in place to restrict the automatic implementation of outputs from any automated decision-making technologies (ML, AI agents, etc.), that might have an adverse impact on critical systems or services.

Answer yes if you have the capability to review output from automated decision-making technologies (ML, AI agents, etc.), perform testing to reproduce expected outcomes, and retain sufficient records of relevant input and output to support the identification of unexpected or inconsistent results.

Answer yes if Machine Learning or Generative AI models are used anywhere within the services provided to your clients or anywhere that might touch client data. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people may use (e.g. Google Gemini or Microsoft’s Copilot), if they are used to provide client services. If AI is used within some, but not all of the services you provide, you should answer yes. Describe in the notes section which of your services use AI and a brief description of where and how AI is used in each service.

Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI or AI-supported service you provide. Examples of what should be considered in each risk assessment include: how the LLM service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output. Upload supporting document(s) evidencing the assessment(s), or describe the assessment(s) in the notes section.

Answer yes if you have ensured, as far as you are able, that the users of your service have reviewed and evaluated the AI model output before use. The measures you have put in place should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making. Depending on the service, this could include tagging output as 'AI generated' or providing workflows to enable the review. Upload a supporting document outlining how you have enabled this, or describe the measures you have put in place in the notes section.

Answer yes if client data processed by the AI model is discarded at completion of each defined processing purpose (for example, text input discarded after the processing of each specific Large Language Model prompt). Describe, for example, the purpose of processing, the expected duration in memory and erasure actions applied to ensure the removal of clients' potentially sensitive data and the integrity of data processed in the next cycle. If client data is retained longer than the defined purpose, outline how that is stored (for example the expected duration in a database) and the purpose of storage. Upload a supporting document outlining the process, or describe the process in the notes section as evidence.

Answer yes if you have controls in place to ensure that sensitive data is not processed by AI. This could include any data that has been defined by your customers as confidential, for example intellectual property or commercially sensitive information, in addition to personal information. These controls may include identifying and pre-treating data before AI processing or other controls to prevent the input of certain information. Describe how this is achieved in the notes section.

Answer yes if any client data is used to train your AI model, or external AI models used to provide supplier services. Describe which client data may be used to train AI models and how this is communicated to those clients.

Answer yes if your organisation has a formal change management process that includes a step to assess any security or legal compliance risks that the change may impact, requires a rollback plan, and includes processes for notifying relevant clients of the changes and any consequential processing differences. Change management can apply if either the AI model is updated, or the data applied to the model is changed (e.g. the model is applied to support new services processing different client data). Upload a copy of your AI change management process, or describe the process in the notes section.

Answer yes if your organisation evaluates the effects of changes of the underlying AI Model, whether that model is created and maintained by you or is adopted and applied from an external source (e.g. Amazon Bedrock AI as a Service). Change impacts can include changes in output accuracy or bias and the potential need to reprocess historic data for analysis consistency. Describe how you evaluate the effects of these changes or upload supporting documentation.

Answer yes if your organisation is a legally registered entity and upload proof of registration (as a PDF file, this is typically a certificate of incorporation) as evidence. Please note the country or jurisdiction in which your company is registered in the notes.

Answer yes if your organisation has enough working capital to remain for the next 12 months.

Answer yes if your organisation has 3 years (or more) worth of published annual accounts. Please upload the last 3 years of accounts as evidence. If your organisation has less than 3 years, please upload any accounts that have been published (as PDF files).

Answer yes if your organisation has an established and documented framework for maintaining anti-money laundering compliance with all applicable laws and regulations. Please upload (as a PDF file) a document outlining the framework as evidence.

Answer yes if your organisation has a documented set of policies and procedures for managing compliance with all anti-bribery and corruption (AB&C) legislation or regulation in the jurisdictions you operate.

Does your organisation have a policy to manage conflicts of interest relevant to anti-bribery and corruption?

Answer yes if your organisation provides AB&C compliance training at regular intervals. Please describe the nature and frequency of the training within the notes.

Answer yes if your organisation conducts supplier assurance to ensure your suppliers have the correct anti-bribery policies and procedures in place.

Answer yes if your organisation has an established and documented set of policies and procedures for monitoring and maintaining compliance with financial sanctions. Please upload your policy and process documents (as PDF files) as evidence.

Answer yes if your organisation has a compliance officer dedicated to maintaining your organisation's compliance with all applicable financial crime regulations, including economic and trade sanctions.

Answer yes if your organisation conducts ongoing checks to ensure compliance with all applicable economic and trade sanctions.

Answer yes if your organisation conducts pre-transaction screening that makes use of all applicable economic and trade sanctions lists. Please list the relevant lists used in the notes.

Answer yes if your organisation provides employees with regular sanctions training. Please describe the nature and frequency of the training within the notes.

Answer yes if your organisation has an established and documented framework for detecting, preventing, responding to, and investigating suspicious or fraudulent activity. Please upload (as a PDF file) a document outlining the framework as evidence.

Answer yes if your organisation has a documented fraud response plan. The plan should cover your organisation's internal processes and reporting lines for the reporting and investigation of any instances of fraud Please upload the plan (as a PDF file) as evidence.

Answer yes if your organisation has a member of senior management who is responsible for financial crime or a process for ensuring financial crime risk & treatment action is considered by the senior management team.

Answer yes if your organisation provides employees with regular fraud prevention training or awareness programmes. Please describe the nature and frequency of the training within the notes.

Answer yes if your organisation holds a valid public liability insurance policy. Please provide the certificate of insurance (as a PDF file) as evidence.

Please state the limit of the cover in GBP (if in another currency, please convert to GBP).

Answer yes if your organisation holds a valid professional indemnity insurance policy. Please provide the certificate of insurance (as a PDF file) as evidence.

Please state the limit of the cover in GBP (if in another currency, please convert to GBP).

Answer yes if your organisation holds a valid employers' liability insurance policy. Please provide the certificate of insurance (as a PDF file) as evidence.

Please state the limit of the cover in GBP (if in another currency, please convert to GBP).

Answer yes if your organisation holds a valid cyber insurance policy. Please provide the certificate of insurance (as a PDF file) as evidence.

Please state the limit of the cover in GBP (if in another currency, please convert to GBP).

Answer yes if your organisation has obtained any certifications or any external audit reports which cover any environmental, social or governance issues. Please state the certification or report in the notes and please upload a PDF of the relevant certification or report as evidence.

Answer yes if your organisation has a documented environmental management policy that looks to minimise your organisation's impact on the environment. The policy must have undergone senior management review and approval within the last year. Please upload the policy (as a PDF file) as evidence.

Answer yes if your organisation publicly shares information and metrics about your environmental and social impact. Please upload a copy of the latest report as evidence or provide a link to it.

Answer yes if your organisation conducts any activities that could be perceived to be hazardous to the environment. This could include but is not limited to mining, construction, demolition, manufacturing, chemical processing, or fossil fuels. Please describe your business activities in the notes.

Answer yes if your organisation has been subject to any adverse media coverage or legal action relating to environmental concerns or if your organisation has received any penalties or sanctions for environmental reasons. Please include details in the notes.

Answer yes if your organisation measures your scope 1, scope 2, or scope 3 emissions as defined by Greenhouse Gas (GHG) Protocol. If you only measure your scope 1 or 2 emissions, please still answer yes and provide the relevant information in the following questions.

Please enter the most recent measurement for your scope 1 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 1 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Please enter the most recent measurement for your scope 2 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 2 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Please enter the most recent measurement for your scope 3 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 3 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Answer yes if your organisation is proactively working towards achieving net zero carbon emissions. Please attach your Carbon Reduction Plan (or similar) if you have one.

Please state the year in which you expect your organisation to achieve net zero carbon emissions.

Answer yes if your organisation has a documented Health & Safety policy. Please upload the policy (as a PDF file) as evidence.

Answer yes if your organisation has an appointed resource that is responsible for the design and delivery of your company's health and safety programme. This is typically a health and safety officer. In the notes, please outline the job role and whether or not this is a dedicated full time position.

Answer yes if your organisation has implemented a framework for managing health and safety compliance across your company. The framework must include health and safety awareness initiatives (such as posters), a risk assessment programme, a defined and auditable reporting process, and relevant and valid insurance policies (in the UK this is covered by your employers liability insurance). Please describe how you manage Health & Safety in the notes.

Answer yes if you commit to the standards set out in a publicly recognised code of ethics such as the Ethical Trading Initiative (ETI) Base Code or if your organisation has developed and abides by its own code of ethics covering labour practises. Please give more details in the notes section.

Answer yes if your organisation is fully compliant with all applicable human rights laws and regulations. This may include, but is not limited to, the International Bill of Human Rights, the UK Modern Slavery Act 2015, and the EU working time directive. Please note that these laws and regulations may require further actions from your organisation to ensure compliance. Please describe how you comply in the notes section and upload evidence of relevant policies, processes or compliance documents.

Answer yes if your organisation has policies and accompanying procedures in place to prevent modern slavery in your own organisation and within your supply chains. Relevant policies may include: Supplier code of conduct, Migrant worker policy, Child labour policy, Human rights policy, Recruitment policy, Procurement policy, Employee code of conduct, Policies concerning access to remedy, compensation and justice for victims of modern slavery, Policies that relate to staff training and increasing awareness of modern slavery, Policies that relate to worker wages, welfare and living standards. Please include in the notes details of your policies and procedures and upload the relevant documents (as PDF files) as evidence.

Answer yes if there have been any suspected or confirmed cases of modern slavery within your organisation or within your supply chain in the past 12 months. Please include in the notes details about how the incidences were identified, investigated and what action was taken.

Answer yes if your organisation has a mechanism in place (backed up by a written policy document with a defined process) that allows employees and contractors to address grievances relating to their employment. Please upload the policy document (as a PDF file) as evidence.

Answer yes if your organisation has a documented diversity and inclusion policy that outlines the organisation's commitment to providing an inclusive and supportive environment for staff, contractors and visitors that is free from discrimination.

Answer yes if your organisation has a defined and documented procedure that enables employees and contract staff to report any incidents or perceived issues confidentially. This is typically provided through a confidential phoneline or email address. Please outline the process in the notes section provided, or upload a policy or process document (as a PDF file) as evidence.

Answer yes if your organisation clearly informs all employees and contract staff how to access and utilise the whistleblowing procedure.

Answer yes if your organisation conducts regular (e.g. quarterly, annually) supplier assurance to ensure your suppliers meet the same standards of environmental management, social responsibility, and governance that is expected of your organisation, and that they are compliant with all applicable laws and regulations. Describe the nature and frequency of the assurance activities in the notes.