By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept
Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Domain
A
Security Governance
This domain covers how your security governance is designed, implemented, and maintained.
Security Risks
Domain
B
Security Certifications
This domain covers how your organisation maintains compliance with key security certifications.
Security Risks
Domain
C
HR Security
This domain covers the security controls you have implemented to mitigate security risk from your employees.
Security Risks
Domain
D
IT Operations
This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.
Security Risks
Domain
E
Software Development
This domain covers the security controls you have implemented during the development of your IT applications.
Security Risks
Domain
F
Network and Cloud Security
This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.
Security Risks
Domain
G
Physical Security
This domain covers the physical security controls you have implemented to protect your organisation's physical premises.
Security Risks
Domain
H
Business Resilience
This domain covers the processes and plans you have in place to ensure a quick recovery if a failure occurs.
Security Risks
Domain
I
Supply Chain Management
This domain covers the processes and controls you have in place to ensure the security risk from your supply chain is mitigated.
Security Risks
Domain
J
Data Protection
This domain covers compliance with data protection legislation.
Security Risks
Domain
K
Artificial Intelligence
This domain covers use of Artificial Intelligence (AI) in your organisation and what you have done to prevent, identify, and respond to evidence of risk.
Security Risks
Domain
XA
Financial Risk
This domain covers financial risk in your organisation and what you have done to prevent, identify, and respond to evidence of financial risk.
Financial Risk
Domain
XB
Environmental, Social and Governance
This domain covers how your organisation manages and governs its environmental and social impact.
Environmental, Social and Governance
Domain A Question
1
01) Does your organisation conduct an annual independent information security review and act upon the findings?
Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, please add the date of your last review to the notes.
Domain A Question
2
02) Does your organisation have an appointed person responsible for information security, such as a CISO?
Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Please confirm the role and its responsibilities in the notes or provide a job role description (as a PDF file) as evidence.
Domain A Question
3
03) Does your organisation have a documented Cybersecurity Policy or Information Security Policy?
Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Please provide the Information Security Policy (as a PDF file) as evidence.
Domain A Question
4
04) Does your organisation have a formal policy on the use of mobile devices?
Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Please provide the Mobile Device Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Domain A Question
5
05) Does your organisation have a formal policy for remote working that includes security?
Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Please provide the Remote Working Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Domain A Question
6
06) Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?
Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Please provide the Acceptable Use Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Domain A Question
7
07) Does your organisation have a documented Information Classification Policy?
Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Please provide the Information Classification Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Domain A Question
8
08) Does your organisation have a documented Access Control Policy?
Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Please provide the Access Control Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Domain A Question
9
09) Does your organisation have a policy governing the use of cloud services?
Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Please provide the Cloud Services Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Domain A Question
10
10) Does your organisation have a Password Policy that is technically enforced throughout its IT estate?
Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Please provide the Password Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes. Please also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.
Domain A Question
11
11) Does your organisation have a documented Backup Policy?
Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Please provide the Backup Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Domain A Question
12
12) Does your organisation enforce a Clear Desk and Screen Policy?
Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Please provide the Clear Desk and Screen Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Domain A Question
13
13) Does your organisation prevent the use of removable media, and is this enforced technically?
Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.
Domain A Question
14
14) If the use of removable media is not prohibited and enforced technically, is its use subject to other compensatory controls?
Answer yes if your organisation subjects the use of removable media to technical controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, please describe the nature of these controls within the notes.
Domain A Question
15
15) Are your organisation's information security policies accessible to all employees?
Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).
Domain A Question
16
16) Are your organisation's information security policies reviewed and approved by senior management at least annually?
Answer yes if all of your organisation's security policies are reviewed and approved by senior management.
Domain A Question
17
17) Has your organisation documented senior management roles and responsibilities for security within your organisation?
Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Please provide the documented roles (as a PDF file) as evidence.
Domain A Question
18
18) Does your organisation include information security during the planning and delivery of projects?
Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).
Domain A Question
19
19) Does your organisation restrict employee access to business information based upon the principle of least privilege?
Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).
Domain A Question
20
20) Does your organisation have an internal audit function that ensures information security requirements are being met by the business?
Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Please comment on the frequency of the audits in the notes.
Domain A Question
21
21) Does your organisation conduct security risk assessments for your full IT estate at least annually?
Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.
Domain A Question
22
22) Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?
Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Please provide a template NDA (as a PDF file) as evidence.
Domain A Question
23
23) Does your organisation segregate duties to prevent unauthorised disclosure or access to information?
Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Please give an example of such segregation in the notes.
Domain A Question
24
24) Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?
Answer yes if your organisation has a defined process for terminating a client contract and removing all relevant client data securely. Please describe the process in the notes or provide a supporting document (as a PDF file) as evidence.
Domain A Question
25
25) Does your organisation use threat intelligence to inform decisions about information security?
Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, please describe how you collect, analyse and use threat intelligence within your organisation, or upload a document (as a PDF file) as supporting evidence.
Domain B Question
0
00) Does your organisation hold any certifications in information security?
Answer yes if your organisation has been certified to an information security standard (such as PCI DSS, Cyber Essentials or ISO27001) or has completed an information security audit such as a SOC2.
Domain B Question
1
01) Is your organisation Cyber Essentials certified?
Answer yes if your organisation is certified to the first level Cyber Essentials scheme. Please provide your Cyber Essentials certificate as evidence.
Domain B Question
2
02) Is your organisation Cyber Essentials Plus certified?
Answer yes if your organisation has been certified to the Cyber Essentials Plus scheme by a relevant certification body. Please provide your Cyber Essentials Plus certificate as evidence.
Domain B Question
3
03) Is your organisation ISO27001 certified?
Answer yes if your organisation has a current, valid ISO27001 certification. Please provide your ISO27001 certificate and Statement of Scope as evidence (as a PDF file) and copy the certificate scope statement into the notes section.
Domain B Question
4
04) Is your organisation aligned with the NIST Cybersecurity Framework?
Answer yes if your organisation is aligned with the NIST Cybersecurity Framework.
Domain B Question
5
05) Are you PCI DSS compliant?
Answer yes if your organisation is compliant with the PCI DSS security standard. If you have certified against the standard, please provide your certificate.
Domain B Question
6
06) Does your organisation have any other certifications or audit reports that cover information security (such as a SOC 2 report)?
Answer yes if your organisation has completed any other information security audits or certifications. If yes, please state the certification or report in the notes and please provide the relevant certification or report as evidence.
Domain C Question
1
01) Does your organisation perform background checks on staff and contractors?
Answer yes if background checks are conducted against staff before they join your organisation. In the notes section, please outline the types of checks (e.g. employer reference, criminal records, BPSS, CTC, SC, DV) conducted for which roles or provide a supporting document (as a PDF file) as evidence.
Domain C Question
2
02) Do employment contracts include consenting to all information security responsibilities in line with organisational policies and procedures?
Answer yes if your organisation's employment contracts include a clause in which the employee must consent to abiding by all of your organisation's security policies. Please provide a template contract (as a PDF file) as evidence or copy the clause into the notes section.
Domain C Question
3
03) Do employees receive an information security and data protection training programme?
Answer yes if your organisation runs an information security and data protection training programme for all of your employees. Please outline the nature and frequency of the training programme in the notes section, including any additional training provided to staff with greater responsibility or more privileged system access.
Domain C Question
4
04) Is there a formal disciplinary process for employees who have breached company policy (including any breaches of company security policy)?
Answer yes if your organisation has a formal disciplinary process that is followed if an employee is found to have intentionally breached company policy. Please provide a document outlining the process (as a PDF file) as evidence (this may be covered by your organisation's Disciplinary Policy).
Domain C Question
5
05) Does your organisation have arrangements in place to provide an alternate resource when a member of staff is not available for an extended period of time?
Answer yes if your organisation has a process in place to source additional staff if one of your organisation's employees is not available for an extended period of time. Please outline the process in the notes section.
Domain D Question
1
01) Does your organisation keep an up-to-date inventory of all IT assets with assigned owners?
Answer yes if your organisation keeps an up-to-date inventory of all hardware and software assets within your IT estate, including cloud services. The inventory must list an owner against each asset. It should also list other details about the assets such as version numbers, business usage & location. Please include details in the notes.
Domain D Question
2
02) Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?
Answer yes if your organisation keeps an up-to-date inventory of all data repositories within your IT estate, including any hosted within cloud services. The inventory must list an owner against each asset.
Domain D Question
3
03) Does your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation?
Answer yes if your organisation has a formal process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).
Domain D Question
4
04) Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation?
Answer yes if your organisation has a formal process that ensures all access to your organisation's systems & information (this includes, but is not limited to corporate endpoints, networks, offices and third party services) is removed when employees, contractors and third party users leave the organisation and is updated when they change roles. Please describe these processes within the notes and/or upload any relevant evidence.
Domain D Question
5
05) Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs?
Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence. If any generic or shared accounts are used, please specify what these are used for and any processes you have in place to minimise their usage.
Domain D Question
6
06) Does your organisation enforce multi-factor authentication on all remotely accessible services (both within your internal IT systems and on third party services)?
Answer yes if your organisation enforces multi-factor authentication on all public facing services that it uses (this includes third party web based services).
Domain D Question
7
07) Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?
Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.
Domain D Question
8
08) Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)?
Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. This should include audit of any shared or generic accounts. Please outline the audit process in the notes section or provide a supporting document (as a PDF file) as evidence.
Domain D Question
9
09) How many access audits does your organisation conduct each year, for regular employee accounts?
Please state the number of times access audits are completed for users each year.
Domain D Question
10
10) How many access audits does your organisation conduct each year, for privileged employee accounts?
Please state the number of times access audits are completed for users each year.
Domain D Question
11
11) Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration?
Answer yes if your organisation has systems and/or processes in place to help ensure privileged accounts are only used for the intended purposes, in a secure way. This could include the use of administration proxies (jump boxes or bastion hosts), Privileged Access Workstations (PAWs), temporary credentials, additional approval processes, or ensuring privileged accounts are not used for normal business activities, such as email or web-browsing. Please describe your PAM controls in the notes section or provide a supporting document (as a PDF file) as evidence.
Domain D Question
12
12) Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?
Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to re-authenticate.
Domain D Question
13
13) For how many minutes does a user have to be inactive before the system is locked?
Please state how long a user must be inactive for (in minutes) before the systems lock. If times vary between systems, please put the highest value and state the others in the notes.
Domain D Question
14
14) Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once?
Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.
Domain D Question
15
15) Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems?
Answer yes if your organisation has disabled auto-run on all of its IT systems. Autorun is a feature on Windows’ operating systems that automatically executes code present on external devices when they are plugged into a PC.
Domain D Question
16
16) Has your organisation removed local administrator rights on all end point devices for all employees that do not require it?
Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.
Domain D Question
17
17) Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment?
Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Please describe how your secure configuration process is performed, including both automated and manual checks. Please upload any relevant documentation (as a PDF file) as evidence.
Domain D Question
18
18) Do all systems (such as network devices) have their default credentials changed on installation or provision?
Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.
Domain D Question
19
19) Does your organisation have a formal change management process that gives consideration to information security?
Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.
Domain D Question
20
20) Does your organisation use anti-malware controls to protect all of its endpoints and internal IT infrastructure?
Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates and are configured to scan files regularly (at least daily). Please provide details of your malware protection solutions in the notes section.
Domain D Question
21
21) Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)?
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of application whitelisting on servers). Please describe the nature of the controls in the notes.
Domain D Question
22
22) Does your organisation have procedures in place to control the installation of software on user endpoint systems?
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems, including desktop PCs, laptops & mobile devices. This could be done through the use of application whitelisting, restricting user installation rights, device management software etc. Please describe the nature of the controls in the notes.
Domain D Question
23
23) Does your organisation use laptop devices?
Answer yes if your organisation allows the use of laptop devices for work purposes. In the notes, please describe whether these are typically company owned or personal devices.
Domain D Question
24
24) Are all of the laptop hard drives encrypted?
Answer yes if your organisation enforces hard drive encryption on all laptop devices. In the notes, please include details of the encryption algorithm(s) used and how this is enforced.
Domain D Question
25
25) Can your organisation remotely wipe company data on laptop devices?
Answer yes if your organisation has a process and technical solution that allows any lost or compromised laptop device to be remotely wiped.
Domain D Question
26
26) Does your organisation allow employees to access company data or services through mobile phones or tablets?
Answer yes if your organisation allows access to company data or services (e.g. email) through mobile devices. In the notes, please briefly describe the nature of the data / services accessible and whether the mobile devices are company owned or employee personal devices.
Domain D Question
27
27) Does your organisation technically enforce security controls on mobile phones and tablets before allowing access to company data or services?
Answer yes if your organisation requires technical enforcement of security controls on mobile phones and tablets before access to company data or services is granted. For example, this could be done through the use of MDM (Mobile Device Management) software. In the notes, please describe the nature of the controls, the method of enforcement and any related processes.
Domain D Question
28
28) Can your organisation remotely wipe company data on mobile phones and tablets?
Answer yes if your organisation has a process and technical solution that allows any lost or compromised mobile phone or tablet to be remotely wiped.
Domain D Question
29
29) Does your organisation encrypt client data on its IT systems?
Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.
Domain D Question
30
30) Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications?
Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance. Please describe your patch management processes in the notes section including how you ensure all systems are in scope, or upload supporting documents (as PDF files).
Domain D Question
31
31) Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?
Answer yes if your organisation uses any applications or systems for which the vendors do not provide regular security updates. In the notes, please describe how you discover & manage these systems, including any compensatory controls you have in place to protect them and any plans for decommissioning or replacement.
Domain D Question
32
32) Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?
Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Please provide a document outlining the process (as a PDF file) as evidence or describe the process in the notes section.
Domain D Question
33
33) Does your organisation take regular immutable backups of its digital production data in line with current best practise guidelines?
Answer yes if your organisation takes regular backups of its production data that cannot be altered, deleted or tampered with for a specified time period. Backups must be taken in line with best practice guidelines, for example by following the '3-2-1' rule and segregating the backups from your main environment. Please describe your backup processes including segregation, frequency, and any other controls in place.
Domain D Question
34
34) Does your organisation encrypt the backups to prevent unauthorised access to the backup data?
Answer yes if your organisation encrypts the backups to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.
Domain D Question
35
35) Does your organisation regularly test backups to ensure their effectiveness?
Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. Please state the frequency of the tests in the notes section.
Domain D Question
36
36) Does your organisation use opportunistic TLS on all email services and are you able to apply enforced TLS to specific domains on request?
Answer yes if your organisation uses opportunistic TLS by default and has the capability to configure enforced TLS on email services to specific domains if requested.
Domain D Question
37
37) Has your organisation implemented SPF, DMARC, and DKIM for all of its email services?
Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. Please state in the notes the type of DMARC policy set.
Domain D Question
38
38) Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms?
Answer yes if your organisation has any form of Data Loss Prevention (DLP) controls in place to ensure only authorised data is transferred outside of your organisation. In the notes, please describe the controls you have in place and how these are managed.
Domain E Question
0
00) Does your organisation develop any applications or systems?
Answer yes if your organisation develops or programs any applications or systems.
Domain E Question
1
01) Does your organisation control access to program source code in a secure manner?
Answer yes if your organisation controls access to its application source code. This is typically done by using a code repository with robust access controls implemented, including maintaining an audit log of all access.
Domain E Question
2
02) Does your organisation have a documented and approved software development life-cycle (SDLC) process that includes security input?
Answer yes if your organisation has implemented a secure SDLC (Software Development Lifecycle) that includes a security risk assessment. Please describe your SDLC process in the notes, highlighting any security input, or provide a supporting document (as a PDF) as evidence.
Domain E Question
3
03) Does your organisation develop applications and systems using security best practice (for example, by following the OWASP secure coding practices)?
Answer yes if your organisation's developers are instructed to build applications and systems using defined security best practice (for example, as defined by OWASP, The Open Web Application Security Project). Please state in the notes the best practise guidance followed and if your developers receive any additional security training.
Domain E Question
4
04) Does your organisation validate all data inputs and outputs to and from its applications?
Answer yes if your organisation ensures that all of its applications have data validation implemented on their data inputs and outputs.
Domain E Question
5
05) Does your organisation conduct threat modelling during the design phase of an application or system build?
Answer yes if your organisation conducts threat modelling when designing each application or system. Please state in the notes how threat modelling is integrated into your SDLC or provide a supporting document (for example, a template threat modelling report as a PDF file) as evidence.
Domain E Question
6
06) Do all of your organisation's applications and systems use industry best practice for authentication, including storing all user passwords as appropriate hashes?
Answer yes if your organisation ensures that all of its applications and systems (that are developed/built in-house) use industry best practice for authentication, and that all passwords are stored as hashes using secure hashing algorithms rather than as plain text.
Domain E Question
7
07) Does your organisation conduct appropriate security testing as part of your development lifecycle?
Answer yes if your organisation performs security testing of all applications & systems during the build process. Please describe the security testing performed which could include, but is not limited to Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Infrastructure security testing.
Domain E Question
8
08) Does your organisation segregate development environments from any testing or production environments?
Answer yes if your organisation uses segregated environments for the development of applications, the testing of applications, and the hosting of production systems that handle live data. Please state in the notes the nature of the segregation (logical/physical).
Domain E Question
9
09) Does your organisation use dummy test data when undergoing testing of systems (and not live production data)?
Answer yes if your organisation has made it policy to only use test data (rather than live production data) that contains no personal data when testing its IT systems. If not, please state the reason why and whether or not you have any other mitigating controls in place.
Domain E Question
10
10) Does your organisation ensure that all applications that it builds or procures are maintained with regular security patches?
Answer yes if your organisation produces or receives regular security updates for any applications it develops and hosts, and that it ensures all applications procured from vendors are also supported with regular security patches.
Domain E Question
11
11) Does your organisation conduct regular penetration tests of any applications or systems that it develops?
Answer yes if your organisation conducts regular penetration tests of any applications or systems that it develops and remediates the findings. Please state how often penetration tests take place in the notes section.
Domain E Question
12
12) Does your organisation ensure that appropriate logging and monitoring is in place for all applications or systems it develops?
Answer yes if your organisation ensures that any applications or systems developed have appropriate logging mechanisms implemented (for example, as defined by OWASP, the Open Web Application Security Project).
Domain F Question
0
00) Does your organisation maintain on-premise or cloud-hosted environments — or a hybrid of both — for internal use, or to deliver services to clients?
Answer Yes to this question if:Your organisation maintains (or is responsible for maintaining) a physical or cloud-hosted network that allows user devices to connect and communicate with any data storage or processing services;Your organisation maintains any physical or cloud-hosted application or service delivery infrastructure;Your organisation uses a public cloud to host applications or services where you are responsible for implementing security controls within that environment, guided by the host’s shared security responsibility model (e.g. AWS, GCP and Azure)
Domain F Question
1
01) Are all ingress and egress points for traffic through your network or cloud environment protected by firewalls?
Answer yes if your organisation has secured all of the ingress and egress points of its corporate network and IT environments (cloud-based or otherwise) with firewalls - whether as discrete appliances or as cloud-hosted network security service functions.
Domain F Question
2
02) Were the firewalls implemented using a deny all policy, with rules built around your organisation’s requirements?
Answer yes if the firewalls were implemented with a 'deny all' policy, and each rule was only added when a business requirement was identified, documented and approved by an authorised individual.
Domain F Question
3
03) Does your organisation review its firewall rules at least annually?
Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.
Domain F Question
4
04) Does your organisation have web application firewalls (WAFs) implemented to protect web applications?
Answer yes if all web applications hosted by your organisation are protected with WAFs (web application firewalls) - whether as discrete appliances or as cloud-hosted network security service functions. If your organisation does not host any web applications, answer 'No' and state this in the notes section.
Domain F Question
5
05) Were the WAFs implemented using a deny all policy, with rules built around your organisation’s requirements?
Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.
Domain F Question
6
06) Does your organisation review its WAF rules at least annually?
Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.
Domain F Question
7
07) Has your organisation implemented segmentation or segregation in your networks and/or cloud environments?
Answer yes if your organisation has appropriately segregated its network or cloud environments to restrict the level of access to sensitive information, hosts, and services. Examples include segregation of production systems from systems being commissioned or decommissioned and systems under test; segregation of systems with different security levels (e.g. those processing sensitive personal data or financial data are segregated from other business systems) and segregation or segmentation of services used by different subsidiary organisations.
Domain F Question
8
08) Does your organisation place all publicly accessible services in isolated network DMZs (or separate subnets)?
Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).
Domain F Question
9
09) Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?
Answer yes if your organisation has implemented controls to protect its services against DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Please describe the nature of these controls in the notes section.
Domain F Question
10
10) Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs or SSH connections)?
Answer yes if your organisation forces all remote connections to its network infrastructure or cloud environment to be secured with a suitable solution such as a VPN or SSH connection.
Domain F Question
11
11) Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?
Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic including APIs and SFTP for file transfers). Please describe the nature of these controls in the notes section, both technical and procedural.
Domain F Question
12
12) Does your organisation manage and control the use of, and access to, any cryptographic keys?
Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.
Domain F Question
13
13) Does your organisation secure remote access to its network or cloud environment using multi-factor authentication?
Answer yes if your organisation forces all remote connections to its network or cloud environment to be secured using two factor authentication.
Domain F Question
14
14) Does your organisation keep a list of approved network connections (such as site to site VPNs) between your corporate network and third parties?
Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.
Domain F Question
15
15) Is each of the approved network connections subject to a risk assessment?
Is each of the approved network connections subject to a risk assessment?
Domain F Question
16
16) Is each of the approved network connections subject to regular review?
Answer yes if your organisation undertakes a regular review of network connections (e.g. annually) in which it removes any redundant connections and makes sure that all of the connections are relevant to its business operations.
Domain F Question
17
17) Does your organisation conduct regular automated vulnerability scans of its public facing IT infrastructure and remediate any findings?
Answer yes if your organisation conducts regular external automated vulnerability scans of its public IP infrastructure and remediates the findings.
Domain F Question
18
18) How many external automated vulnerability scans does your organisation conduct each year?
Please state the number of automated scans completed every year.
Domain F Question
19
19) Does your organisation conduct regular automated vulnerability scans of its internal IT infrastructure and remediate any findings?
Answer yes if your organisation conducts regular automated vulnerability scans of its internal IP infrastructure and remediates the findings. This may include scanning assets in a private local network or using a cloud service provider’s tools to scan for vulnerabilities in your cloud infrastructure.
Domain F Question
20
20) How many internal automated vulnerability scans does your organisation conduct each year?
Please state the number of automated scans completed every year.
Domain F Question
21
21) Does your organisation conduct regular penetration tests of its public facing IT infrastructure?
Answer yes if your organisation conducts regular penetration tests of your public facing IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
Domain F Question
22
22) Does your organisation conduct regular penetration tests of its internal systems where the test assumes perimeter controls have been compromised?
Answer yes if your organisation conducts regular penetration tests of your internal IT systems and infrastructure and that you remediate the findings. The test should include manual testing by a skilled person in the role of a threat actor with technical verification and validation of any findings. The test should assume that perimeter controls have been compromised, for example that a legitimate internal user’s credentials have been stolen and re-used. The test should assess a threat actor’s ability to reach assets and information, including opportunities to elevate privileges to gain access. The results of the tests can inform improvements to IT systems and infrastructure, for example improved subnet segregation and role access privileges and controls. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
Domain F Question
23
23) Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?
Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Please give details of your process(es) in the notes section.
Domain F Question
24
24) Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?
Answer yes if your organisation has implemented any network or cloud monitoring solutions (either in house or via a third party service provider). Please describe which solutions you have in place and the coverage they have over your network(s) or cloud environment(s).
Domain F Question
25
25) Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary?
Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Please describe your processes for different types of security logs and events in the notes section.
Domain F Question
26
26) Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?
Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Please describe the controls in the notes section.
Domain F Question
27
27) Does your organisation record and store user activity logs for all cloud environments, networks and associated services?
Answer yes if your organisation records and stores user activity logs for its IT production systems, network devices and endpoint devices.
Domain F Question
28
28) For how many months does your organisation stores its user activity logs?
Answer by stating how many months the logs are kept for.
Domain F Question
29
29) Does your organisation record and store the logs of root/super user/administrator actions for the network and associated services?
Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.
Domain F Question
30
30) For how many months does your organisation stores its root/super-user/administrator logs?
Please state how many months the logs are kept for.
Domain F Question
31
31) Are all logs stored on a secure/hardened server that is logically separate from the systems being logged?
Answer yes if your organisation stores all recorded logs on dedicated servers that are logically separate from your production systems, and hardened.
Domain F Question
32
32) Does your organisation have a process to test the deployment of business critical applications to their target managed environment (cloud or on-prem) to ensure there are no adverse impacts on operations or security?
Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of business critical applications to their target managed environment (cloud or on-prem) to ensure there are no adverse impacts on operations or the security of your IT estate. Please describe the nature of the testing process in the notes or provide a supporting document (as a PDF file) as evidence.
Domain G Question
0
00) Does your organisation rely upon any physical premises, such as offices, warehouses or data centres?
Answer yes if your organisation uses any physical premises in order to provide your services, products or to run your operations. This could include, but is not limited to, office space, warehouses, or data centres. It includes data centres used to host cloud services provided by your organisation, even if you do not have direct control of those premises. It also includes office space used by your people, even if you are a cloud-first organisation.
Domain G Question
1
01) Does your organisation enforce a secure physical perimeter around all of its physical locations (e.g. offices, data centres...)?
Answer yes if your organisation has implemented a secure physical perimeter around all of its physical locations. Please provide a Physical Security Policy document (as a PDF file) as evidence or reference a section of a previously provided security policy in the notes.
Domain G Question
2
02) Does your organisation use CCTV to monitor entry and exit points of all premises?
Answer yes if your organisation uses CCTV cameras on all of its premises entry and exit points.
Domain G Question
3
03) For how many days does your organisation keep CCTV footage?
Please state the number of days that the CCTV footage is kept for. If different retention times are used depending on the CCTV system, please state the different retention times in the notes and enter the lowest retention time in the answer box.
Domain G Question
4
04) Does your organisation use an access control system on it's premises entry and exit points that includes logging of access?
Answer yes if your organisation uses an access control system to control the movement of people in and out of its physical premises, and if this system keeps a digital log of access.
Domain G Question
5
05) For how many months does your organisation keeps its physical access control audit logs?
Please state the number of months that the access logs are kept for. If different retention times are used depending on the access control system, please state the different retention times in the notes and enter the lowest retention time in the answer box.
Domain G Question
6
06) Are all of your organisation's physical premises secured with an alarm?
Answer yes if all of your organisation's physical premises are secured with an alarm that once triggered, is investigated either by a private security team or the police.
Domain G Question
7
07) Are all of your organisation's physical premises manned 24/7 by a security team or reception team?
Answer yes if all of your organisation's physical premises are staffed 24/7 by an onsite security team, reception team, or both. If security is present for some hours (not 24/7), please answer no and state in the notes section the times during which the premises are manned.
Domain G Question
8
08) Does your organisation use visitor log books (or the digital equivalent) to record visitors at all premises?
Answer yes if your organisation uses a physical or digital system to record the arrival of visitors, and the time at which they leave the premises.
Domain G Question
9
09) Does your organisation require visitors to undergo an ID check on arrival at all premises?
Answer yes if your organisation requires all visitors to undergo an ID check on arrival to ensure that they are the person that they claim to be.
Domain G Question
10
10) Does your organisation protect sensitive equipment from power failures?
Answer yes if your organisation uses controls (such as Uninterruptible Power Supplies, UPS) to protect sensitive equipment from power failures.
Domain G Question
11
11) Does your organisation ensure confidential paper waste is disposed of securely?
Answer yes if your organisation disposes of all confidential paper waste in a secure manner (typically either by shredding or incineration), or if a third party is used to dispose of the waste securely.
Domain H Question
1
01) Does your organisation have a documented Incident Response Plan?
Answer yes if your organisation has a documented Incident Response Plan that has been reviewed in the last year. Please provide the Incident Response Plan (as a PDF file) as evidence.
Domain H Question
2
02) Does your organisation's Incident Response Plan allow for the classification of information security events?
Answer yes if your organisation's Incident Response Plan contains a section for classifying information security events. Please reference the section of any previously provided plan in the notes.
Domain H Question
3
03) Does your Incident Response Plan include consideration of legal and regulatory commitments?
Answer yes if your organisation's Incident Response Plan contains an assessment of impact to legal and regulatory compliance. Please reference the section of any previously provided plan in the notes.
Domain H Question
4
04) Does your organisation's Incident Response Plan include roles and responsibilities in the event of an incident?
Answer yes if your organisation's Incident Response Plan contains a section defining roles and responsibilities in an information security event. Please reference the section of any previously provided plan in the notes.
Domain H Question
5
05) Does your organisation's Incident Response Plan include alternative communication systems in case your usual systems are disrupted?
Answer yes if your organisation's Incident Response Plan contains a section for alternative communication methods. Please reference the section of any previously provided plan in the notes.
Domain H Question
6
06) Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)?
Answer yes if your organisation has a cyber incident response capability that it can call upon in the event of an incident. This can be an in-house capability or provided by a third party or cyber insurance provider.
Domain H Question
7
07) Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?
Answer yes if your organisation has a documented process for reporting information security incidents, or suspected information security incidents (this is typically via an IT helpdesk). Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.
Domain H Question
8
08) Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?
Answer yes if your organisation has a documented process for reporting information security breaches to all affected clients within 72 hours of the breach being discovered. Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.
Domain H Question
9
09) Does your organisation conduct a root cause analysis for all information security incidents that are reported?
Answer yes if your organisation completed a root cause analysis for all security incidents that are reported, and implements any lessons learnt after each analysis has been completed. Please provide a template root cause analysis document (as a PDF file) as evidence.
Domain H Question
10
10) Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?
Answer yes if your organisation has a documented business continuity plan that has been reviewed and approved by senior management in the last year. Please provide the Business Continuity Plan (as a PDF file) as evidence.
Domain H Question
11
11) Is your organisation's Business Continuity Plan based on a current risk assessment of your business?
Answer yes if your organisation has assessed the potential business-disruptive risks and used this assessment to inform your Business Continuity Plan. This process may involve conducting a Business Impact Analysis (BIA) for certain scenarios. Please provide the business continuity risk summary as evidence or reference a section of a previously provided document in the notes section.
Domain H Question
12
12) Does your organisation's Business Continuity Plan address the backup and restoration of your business data and the data you process for your clients?
Answer yes if your organisation's Business Continuity Plan includes the required steps to backup and restore the data used by your organisation for day to day operations and the data your clients may have transferred to you for processing, including the outcomes of that processing. This may include defining and agreeing the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for certain services.
Domain H Question
13
13) Does your organisation's Business Continuity Plan include operation of business activities from an alternative location?
Answer yes if your organisation's Business Continuity Plan includes the required steps to continue business operations from an alternate location if the normal business location is inaccessible.
Domain H Question
14
14) Does your organisation's plan include the maintenance of security controls in a disaster?
Answer yes if your organisation's Business Continuity Plan includes information describing the maintenance of security controls in the event of a disaster.
Domain H Question
15
15) Does your organisation have a programme in place to regularly rehearse and maintain your Business Continuity and Disaster Recovery plans?
Answer yes if your organisation runs rehearsal of its Business Continuity and Disaster Recovery plans at least annually involving all parties, including senior operational leaders. Please provide a report (as a PDF file) that details the last two tests to take place. In the notes section, please describe the nature of the exercises (e.g. desktop exercises, partial or whole practical/technical service restoration and recovery) and who was involved. Please also describe the outcome of the rehearsals, e.g. plans have been updated and re-issued with all material findings addressed.
Domain H Question
16
16) Has your organisation set Recovery Time Objectives (RTO) and / or Recovery Point Objectives (RPO)?
Answer yes if your organisation has specified Recovery Time Objectives (RTO) and / or Recovery Point Objectives (RPO) for any of your services.
Domain H Question
17
17) What is your Recovery Time Objective (RTO)?
Please enter your Recovery Time Objective (RTO). If you have different RTOs for different services, please enter the longest RTO and provide details in the notes section.
Domain H Question
18
18) What is your Recovery Point Objective (RPO)?
Please enter your Recovery Point Objective (RPO). If you have different RPOs for different services, please enter the longest RPO and provide details in the notes section.
Domain I Question
1
01) Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?
Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the requirements of the relevant data protection regulations (e.g. GDPR, Australian Privacy Act, US State Law).
Domain I Question
2
02) Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?
Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that contains appropriate security clauses including the right to audit and mandatory adherence to appropriate security policies.
Domain I Question
3
03) Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?
Answer yes if your organisation assigns each supplier with a criticality rating that is based on a corresponding business impact assessment.
Domain I Question
4
04) Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?
Answer yes if your organisation has documented the baseline level of security controls that it expects its suppliers of different criticalities to adhere to. The Risk Ledger platform can be used for this - get in touch!
Domain I Question
5
05) Does your organisation conduct security due diligence against suppliers before entering into a contract?
Answer yes if your organisation checks that each supplier has the required level of security in controls in place before it enters into a contract with them. The Risk Ledger platform can be used for this - get in touch!
Domain I Question
6
06) Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?
Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Please give details of your current process. The Risk Ledger platform can make this easier for you - get in touch!
Domain J Question
0
00) Does your organisation collect, process, or store personal data, other than that of your own employees?
Answer yes if your organisation collects, processes or stores information that relates to an identified or identifiable individual. You need not answer yes if the only personal data you process is that of your own employees for HR requirements. Data collection also includes any identifiable information collected from web cookies.
Domain J Question
1
01) Which countries do you store personal data in, or transfer personal data to?
Please list all countries where personal data controlled or processed by you resides or is transferred to or through. This includes the location of your head office and data centres, as well as locations of sub-processors. For each country listed, please describe what data is stored or transferred and under what circumstances.
Domain J Question
2
02) Do you use appropriate legal mechanisms for all international transfers of personal data?
Answer yes if you have processes in place to ensure that every cross-border transfer of personal data has the appropriate contractual / legal mechanisms in place, depending on your jurisdiction. For example, this could be an international data transfer agreement, or an adequacy decision. Please describe in the notes section which mechanism is used for which instances of data transfer.
Domain J Question
3
03) Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?
Answer yes if your organisation has received a request from any government or other authority to provide access to personal data. Please provide information about the nature, volume and origin of requests, including how many you complied with in the notes section, or through supporting evidence (e.g. a link to your transparency report or a document upload).
Domain J Question
4
04) Does your organisation have a nominated Data Protection Officer (DPO)?
Answer yes if your organisation has a nominated Data Protection Officer (DPO) who undertakes regular compliance checks and leads on continual privacy improvement. Please include in the notes section details about how your DPO monitors compliance with relevant data protection obligations.
Domain J Question
5
05) Does your organisation have an up-to-date Data Protection Policy?
Answer yes if your organisation has a Data Protection Policy that has been reviewed in the last year. Please upload your Data Protection Policy (as a PDF file) as evidence.
Domain J Question
6
06) Does your organisation maintain a record of all personal data collection & processing activities?
Answer yes if you document your personal data processing activities. This could be through data flow diagrams or written documentation and should include details of collection, purpose, storage, access, use, sharing, and retention. Please describe how you do this in the notes.
Domain J Question
7
07) Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?
Answer yes if your organisation has documented the legal justification for processing personal data in each instance. The criteria for a valid lawful basis will depend on your jurisdiction.
Domain J Question
8
08) Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?
Answer yes if your organisation conducts a Data Protection Impact Assessment (DPIA) for all processing of personal data that is likely to result in a high risk to individuals. To find out more about Data Protection Impact Assessments, see the Risk Ledger Knowledgebase.
Domain J Question
9
09) Can your organisation facilitate an individual's data privacy rights?
Answer yes if your organisation has the correct processes in place to be able to provide the relevant individual data privacy rights to all of the data subjects for whom you hold data (e.g. the right to subject access, the right to erasure…).
Domain J Question
10
10) Does your organisation have a Records Retention Policy?
Answer yes if your organisation has a Records Retention Policy that has been reviewed in the last year. Please provide your Records Retention Policy (as a PDF file) as evidence.
Domain J Question
11
11) Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?
Answer yes if organisation has robust detection, investigation and reporting procedures in place for all personal data breaches. This should include assessing the likely risk to individuals as a result of the breach, informing affected individuals without undue delay, and documenting the facts surrounding personal data breaches in a Breach Log. Please provide details about your processes surrounding a personal data breach in the notes section, including uploading any relevant documentation (as a PDF file).
Domain J Question
12
12) Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?
Answer yes if your organisation has a documented process for notifying the relevant Authority for your jurisdiction and all data controllers or other relevant parties when it becomes aware of a security breach involving Personal Data.
Domain J Question
13
13) Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?
Answer yes if your organisation has had a security incident that led to a Personal Data breach in the last 6 months. If you answered yes, please describe the nature of the breach in the notes section and attach a root causes analysis report (as a PDF file) for each listed breach.
Domain J Question
14
14) Does your organisation process personal data on behalf of another organisation?
Answer yes if your organisation processes personal data on behalf of another organisation where they are the data controller and you are the data processor.
Domain J Question
15
15) Does your organisation have procedures in place to inform and obtain authorisation (if required) from the data controller before engaging a sub-processor?
Answer yes if you have ways to ensure that new sub-processors are authorised by or communicated to the data controller before the new sub-processing takes place. Please attach evidence or describe how this is ensured in the notes.
Domain J Question
16
16) Does your organisation ensure that processing activities are only carried out under the documented instructions of the data controller?
Answer yes if you have processes or policies which ensure data is only processed in the way in which your data controller has requested, and you have written instructions from the controller describing this. Please describe in the notes how you obtain these instructions from data controllers and how you ensure data is not processed in any way outside of the documented written instructions.
Domain K Question
1 (AI)
01) Does your organisation use Machine Learning or Generative Artificial Intelligence (AI) models for internal use-cases?
Answer yes if Machine Learning or Generative AI models are used anywhere within your organisation. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people use (e.g. Google Gemini or Microsoft’s Copilot). Unless it has been specifically prohibited and the restriction technically enforced, it is likely that AI is being used somewhere within your organisation and you should answer yes to this question.
Domain K Question
2 (AI)
02) Has your organisation conducted a risk assessment of each internal use of AI models?
Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI-supported service that is used, including both internally developed and supplier-provided services. Examples of risk assessment considerations include: how a Large Language Model (LLM) service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output.
Domain K Question
3 (AI)
03) Is any of your information or data (e.g. prompts) used to train AI models?
Answer yes if any of the AI-supported services used by your organisation use your organisational data and information to train the AI models. Where information is used for AI training, please describe any controls you have in place to mitigate risks related to your confidential or sensitive data being stored and re-used.
Domain K Question
4 (AI)
04) Do you have processes in place to ensure your service user evaluates the AI model responses before use?
Answer yes if you have ensured, as far as you are able, that your people (employees, managed contract resources or anyone else acting on behalf of your organisation) have reviewed and evaluated the AI model output before use. These processes should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making.
Domain K Question
5 (AI)
05) Does your organisation use Machine Learning or Generative Artificial Intelligence (AI) models in any services provided to clients or is client data otherwise exposed to AI models?
Answer yes if Machine Learning or Generative AI models are used anywhere within the services provided to your clients or anywhere that might touch client data. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people may use (e.g. Google Gemini or Microsoft’s Copilot), if they are used with client data to provide client services. If AI is used within some, but not all of the services you provide, you should answer yes. Please describe in the notes section which of your services use AI and a brief description of where and how AI is used in each service.
Domain K Question
6 (AI)
06) Has your organisation conducted a regulatory compliance and security risk assessment of how your AI-supported service processes and responds to client data and information?
Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI-supported service you provide. Examples of what should be considered in each risk assessment include: how the LLM service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output.
Domain K Question
7 (AI)
07) Do your AI-supported service(s) encourage service users to evaluate the AI model’s responses before use?
Answer yes if you have ensured, as far as you are able, that the users of your service have reviewed and evaluated the AI model output before use. The measures you have put in place should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making. Depending on the service, this could include tagging output as 'AI generated' or providing workflows to enable the review.
Domain K Question
8 (AI)
08) Is client data processed by the AI model discarded and erased from memory when processing of that data has completed?
Answer yes if client data processed by the AI model is discarded at completion of each defined processing purpose (for example, text input discarded after the processing of each specific Large Language Model prompt).
Domain K Question
9 (AI)
09) Is sensitive data (including personal or confidential data) removed, masked or otherwise prevented from being input into AI models for all services you provide?
Answer yes if you have controls in place to ensure that sensitive data is not processed by AI. This could include any data that has been defined by your customers as confidential, for example intellectual property or commercially sensitive information, in addition to personal information. These controls may include identifying and pre-treating data before AI processing or other controls to prevent the input of certain information. Please describe how this is achieved in the notes section.
Domain K Question
10 (AI)
10) Is client data and information (e.g. prompts) used to train AI models?
Answer yes if any client data is used to train your AI model, or external AI models used to provide supplier services. Please describe which client data may be used to train AI models and how this is communicated to those clients.
Domain K Question
11 (AI)
11) Does your organisation have a formal AI model change management process that gives consideration to information security and regulatory requirements and includes notification to relevant clients?
Answer yes if your organisation has a formal change management process that includes a step to assess any security or legal compliance risks that the change may impact, requires a rollback plan, and includes processes for notifying relevant clients of the changes and any consequential processing differences. Change management can apply if either the AI model is updated, or the data applied to the model is changed (e.g. the model is applied to support new services processing different client data).
Domain K Question
12 (AI)
12) Does your organisation have processes in place to identify, triage and remediate the effects of AI model updates such as output accuracy or bias?
Answer yes if your organisation evaluates the effects of changes of the underlying AI Model, whether that model is created and maintained by you or is adopted and applied from an external source (e.g. Amazon Bedrock AI as a Service). Change impacts can include changes in output accuracy or bias and the potential need to reprocess historic data for analysis consistency. Please describe how you evaluate the effects of these changes or upload supporting documentation (as a PDF file).
Domain L Question
1
01) Does your organisation have any certifications or audit reports that cover environmental, social or governance issues (such as ISO 14001, ISO 45001 or B Corporation certification)?
Answer yes if your organisation has obtained any certifications or any external audit reports which cover any environmental, social or governance issues. Please state the certification or report in the notes and please upload a PDF of the relevant certification or report as evidence.
Domain L Question
2
02) Does your organisation have a documented Environmental Management policy?
Answer yes if your organisation has a documented environmental management policy that looks to minimise your organisation's impact on the environment. The policy must have undergone senior management review and approval within the last year. Please upload the policy (as a PDF file) as evidence.
Domain L Question
3
03) Does your organisation publicly share metrics related to your Environmental, Social & Corporate Governance?
Answer yes if your organisation publicly shares information and metrics about your environmental and social impact. Please upload a copy of the latest report as evidence or provide a link to it.
Domain L Question
4
04) Does your organisation conduct any activities that might be deemed as hazardous to the environment?
Answer yes if your organisation conducts any activities that could be perceived to be hazardous to the environment. This could include but is not limited to mining, construction, demolition, manufacturing, chemical processing, or fossil fuels. Please describe your business activities in the notes.
Domain L Question
5
05) Has your organisation received any adverse media coverage, legal action, penalties or sanctions for environmental reasons?
Answer yes if your organisation has been subject to any adverse media coverage or legal action relating to environmental concerns or if your organisation has received any penalties or sanctions for environmental reasons. Please include details in the notes.
Domain L Question
6
06) Does your organisation measure its scope 1, scope 2, or scope 3 emissions as per Greenhouse Gas (GHG) Protocol standards?
Answer yes if your organisation measures your scope 1, scope 2, or scope 3 emissions as defined by Greenhouse Gas (GHG) Protocol. If you only measure your scope 1 or 2 emissions, please still answer yes and provide the relevant information in the following questions.
Domain L Question
7
07) What are your scope 1 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 1 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 1 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Domain L Question
8
08) What are your scope 2 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 2 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 2 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Domain L Question
9
09) What are your scope 3 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 3 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 3 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Domain L Question
10
10) Is your organisation working towards a net zero carbon emissions target?
Answer yes if your organisation is proactively working towards achieving net zero carbon emissions.
Domain L Question
11
11) When do you expect to achieve net zero carbon emissions?
Please state the year in which you expect your organisation to achieve net zero carbon emissions.
Domain L Question
12
12) Does your organisation have a documented Health & Safety Policy?
Answer yes if your organisation has a documented Health & Safety policy. Please upload the policy (as a PDF file) as evidence.
Domain L Question
13
13) Does your organisation have a senior manager or board member who is responsible for your Health & Safety Programme?
Answer yes if your organisation has an appointed resource that is responsible for the design and delivery of your company's health and safety programme. This is typically a health and safety officer. In the notes, please outline the job role and whether or not this is a dedicated full time position.
Domain L Question
14
14) Does your organisation have an established and consistent framework for Health and Safety which includes provisions to ensure a safe and hygienic working environment for all of your personnel, in accordance with local health and safety laws and industry best practices?
Answer yes if your organisation has implemented a framework for managing health and safety compliance across your company. The framework must include health and safety awareness initiatives (such as posters), a risk assessment programme, a defined and auditable reporting process, and relevant and valid insurance policies (in the UK this is covered by your employers liability insurance). Please describe how you manage Health & Safety in the notes.
Domain L Question
15
15) Does your organisation work to a committed code of business ethics which includes ethical labour practises?
Answer yes if you commit to the standards set out in a publicly recognised code of ethics such as the Ethical Trading Initiative (ETI) Base Code or if your organisation has developed and abides by its own code of ethics covering labour practises. Please give more details in the notes section.
Domain L Question
16
16) Does your organisation ensure compliance with all applicable human rights laws and regulations?
Answer yes if your organisation is fully compliant with all applicable human rights laws and regulations. This may include, but is not limited to, the International Bill of Human Rights, the UK Modern Slavery Act 2015, and the EU working time directive. Please note that these laws and regulations may require further actions from your organisation to ensure compliance. Please describe how you comply in the notes section and upload evidence of relevant policies, processes or compliance documents.
Domain L Question
17
17) Does your organisation have policies and procedures in place that ensure the prevention of modern slavery?
Answer yes if your organisation has policies and accompanying procedures in place to prevent modern slavery in your own organisation and within your supply chains. Relevant policies may include: Supplier code of conduct, Migrant worker policy, Child labour policy, Human rights policy, Recruitment policy, Procurement policy, Employee code of conduct, Policies concerning access to remedy, compensation and justice for victims of modern slavery, Policies that relate to staff training and increasing awareness of modern slavery, Policies that relate to worker wages, welfare and living standards. Please include in the notes details of your policies and procedures and upload the relevant documents (as PDF files) as evidence.
Domain L Question
18
18) Have any incidences of modern slavery been recorded or uncovered within your organisation or supply chains in the past 12 months?
Answer yes if there have been any suspected or confirmed cases of modern slavery within your organisation or within your supply chain in the past 12 months. Please include in the notes details about how the incidences were identified, investigated and what action was taken.
Domain L Question
19
19) Does your organisation provide a grievance mechanism for workers to raise workplace concerns?
Answer yes if your organisation has a mechanism in place (backed up by a written policy document with a defined process) that allows employees and contractors to address grievances relating to their employment. Please upload the policy document (as a PDF file) as evidence.
Domain L Question
20
20) Does your organisation have a documented diversity and inclusion policy?
Answer yes if your organisation has a documented diversity and inclusion policy that outlines the organisation's commitment to providing an inclusive and supportive environment for staff, contractors and visitors that is free from discrimination.
Domain L Question
21
21) Does your organisation provide a confidential method (also known as a whistleblowing procedure) for employees and contract staff to freely report any perceived issues that might impact your clients or their customers?
Answer yes if your organisation has a defined and documented procedure that enables employees and contract staff to report any incidents or perceived issues confidentially. This is typically provided through a confidential phoneline or email address. Please outline the process in the notes section provided, or upload a policy or process document (as a PDF file) as evidence.
Domain L Question
22
22) Does your organisation clearly inform employees and contract staff how to access and utilise the whistleblowing procedure to confidentially report any issues?
Answer yes if your organisation clearly informs all employees and contract staff how to access and utilise the whistleblowing procedure.
Domain L Question
23
23) Does your organisation conduct regular assurance activities against its suppliers to ensure they are operating in line with your own environmental, social and governance policies, including checking that they are compliant with relevant laws and regulations?
Answer yes if your organisation conducts regular (e.g. quarterly, annually) supplier assurance to ensure your suppliers meet the same standards of environmental management, social responsibility, and governance that is expected of your organisation, and that they are compliant with all applicable laws and regulations. Describe the nature and frequency of the assurance activities in the notes.
Framework Domains

12) Does your organisation have processes in place to identify, triage and remediate the effects of AI model updates such as output accuracy or bias?

September 11, 2024
Artificial Intelligence
Service AI application

Answer yes if your organisation evaluates the effects of changes of the underlying AI Model, whether that model is created and maintained by you or is adopted and applied from an external source (e.g. Amazon Bedrock AI as a Service). Change impacts can include changes in output accuracy or bias and the potential need to reprocess historic data for analysis consistency. Please describe how you evaluate the effects of these changes or upload supporting documentation (as a PDF file).

What is the control?

Information Security is in large parts about risk management. We improve security by removing risks as best we can within a certain scope and level or resource.

AI model updates are a specific case where the effects of change may not be immediately apparent and should be practically evaluated.

Why should I have it?

Any significant change to your service delivery environment — including external factors such as changes to legislation, best practice guidance, emerging threats, and changes of processing scope — should be subject to an assessment to determine its impact. Few changes are potentially as significant as those as services which change information processing, such as the provision of AI models and services.

Where your clients have adopted use of AI-supported services, it is important to evaluate the risks of changes to the model as a result of training - or where options to update an adopted third party AI model are offered.

Changing a model can materially change the characteristic of outputs including processing result accuracy compared with past results.  Other changes may be unclear at the outset and only become apparent over time, such as ‘drift’ in accuracy or indications of apparent bias in the results of processing.

How to implement the control

Testing for the effect of AI model changes - to enable risk assessment -  may involve replay of past data (e.g. LLM RAG data with prompts) to compare and contrast the processing results. However, the identification of more subtle drift or bias effects may involve a longer period of either parallel running (the old model processing the same data and prompts as a proposed new model, with results retained internally for analysis) and statistical comparison of data-based processing results.

There are a growing number consultancies or individual consultants that will be able to assist in crafting a policy and process that meets your business and technical requirements. But bear in mind that as with all novel technologies this is a rapidly evolving area of academic research.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.

Book a demo
Support
Framework
Domains
K
12 (AI)
© 2024 Risk Ledger Ltd
CookiesPrivacy PolicyTerms of ServiceSecurity Profile