Step 2 - Tell Us About Your Organization

1. Which compliance frameworks are you working on (or planning to meet)? *

2. Do you currently have a compliance program in place? *

Yes, it’s active

We’re starting one

No, not yet

3. Number of Employees in Your Organization *

Ready To Begin?

Your responses are confidential. No obligations, just actionable insights.

1 - Risk Management & Governance

1. Do you have a documented risk management program aligned with NIST CSF/ISO 27001 that actively identifies and mitigates threats? (Relevant frameworks: NIST CSF, ISO 27001, SOC 2, CIS Controls) *

1 - Risk Management & Governance

1.1 Do you have a named person or team responsible for enterprise risk management? *

Yes

No

Follow-up Question

1 - Risk Management & Governance

1.2 Have you conducted a risk assessment in the past 12 months using any formal framework (e.g., ISO 27005, NIST SP 800-30)? *

Yes

No

Follow-up Question

1 - Risk Management & Governance

1.3 Are risks documented, prioritized, and reviewed at regular intervals? *

Yes

No

2 - Asset Inventory & Management

2. Is there a real-time inventory of all hardware, software, and data (classified by sensitivity)? (Relevant frameworks: CIS Controls, NIST CSF, ISO 27001, PCI DSS) *

2 - Asset Inventory & Management

2.1 Do you currently use any tools (e.g., SCCM, Lansweeper, Qualys) to track IT assets? *

Yes

No

Follow-up Question

2 - Asset Inventory & Management

2.2 Is there any form of asset classification (e.g., critical, sensitive, internal)? *

Yes

No

Follow-up Question

2 - Asset Inventory & Management

2.3 Is inventory updated automatically or manually? *

Yes

No

Follow-up Question

3 - Access Control & Identity Management

3. Is MFA enforced for all admin/remote access, and are permissions granted on a least privilege basis? (Relevant frameworks: NIST CSF, CIS Controls, ISO 27001, SOC 2, HIPAA) *

3 - Access Control & Identity Management

3.1 Is Multi-Factor Authentication (MFA) enabled for any accounts today? *

Yes

No

Follow-up Question

3 - Access Control & Identity Management

3.2 Do you have a user provisioning/deprovisioning process (manual or automated)? *

Yes

No

Follow-up Question

3 - Access Control & Identity Management

3.3 Have you ever conducted a user access review or audit? *

Yes

No

Follow-up Question

4 - Vulnerability & Patch Management

4. Are critical security patches applied within 30 days of release, with vulnerability scans at least quarterly? (Relevant frameworks: CIS Controls, NIST CSF, PCI DSS, ISO 27001) *

4 - Vulnerability & Patch Management

4.1 Do you receive patch notifications from vendors or tools (e.g., WSUS, Tenable)? *

Yes

No

Follow-up Question

4 - Vulnerability & Patch Management

4.2 Is there any schedule for reviewing and applying patches? *

Yes

No

Follow-up Question

4 - Vulnerability & Patch Management

4.3 Have you ever conducted a vulnerability scan, even internally? *

Yes

No

Follow-up Question

5 - Incident Response & Recovery

5. Is there a tested incident response plan with defined roles for containment, notification, and recovery? (Relevant frameworks: NIST CSF, ISO 27001, SOC 2, HIPAA, GDPR) *

5 - Incident Response & Recovery

5.1 Is there any written procedure for what to do if a breach or cyber event occurs? *

Yes

No

Follow-up Question

5 - Incident Response & Recovery

5.2 Have you ever conducted an incident response tabletop exercise or simulation? *

Yes

No

Follow-up Question

5 - Incident Response & Recovery

5.3 Do you know who would be responsible for containing and reporting a breach? *

Yes

No

Follow-up Question

6 - Data Protection & Encryption

6. Is all sensitive data (at rest and in transit) encrypted, and are data retention policies enforced? (Relevant frameworks: PCI DSS, GDPR, HIPAA, ISO 27001, NIST CSF) *

6 - Data Protection & Encryption

6.1 Is encryption enforced on company laptops or servers? *

Yes

No

Follow-up Question

6 - Data Protection & Encryption

6.2 Do you use HTTPS, VPNs, or secure file transfer protocols? *

Yes

No

Follow-up Question

6 - Data Protection & Encryption

6.3 Do you have any data retention or deletion policy (even informal)? *

Yes

No

Follow-up Question

7 - Security Awareness Training

7. Do employees and contractors complete mandatory security training (e.g., phishing) annually? (Relevant frameworks: ISO 27001, NIST CSF, CIS Controls, SOC 2, HIPAA) *

7 - Security Awareness Training

7.1 Have employees ever received phishing simulations or security reminders? *

Yes

No

Follow-up Question

7 - Security Awareness Training

7.2 Is there any onboarding checklist that includes security? *

Yes

No

Follow-up Question

7 - Security Awareness Training

7.3 Does HR or IT track who has completed training? *

Yes

No

Follow-up Question

8 - Third-Party & Vendor Security

8. Are third-party vendors contractually required to meet security standards (e.g., SOC 2) and audited annually? (Relevant frameworks: NIST CSF, ISO 27001, SOC 2, GDPR, PCI DSS) *

8 - Third-Party & Vendor Security

8.1 Do you know which vendors have access to your data or systems? *

Yes

No

Follow-up Question

8 - Third-Party & Vendor Security

8.2 Do contracts include any security requirements (e.g., SOC 2, NDA)? *

Yes

No

Follow-up Question

8 - Third-Party & Vendor Security

8.3 Have you ever reviewed a vendor’s audit report or questionnaire? *

Yes

No

Follow-up Question

9 - Logging & Monitoring

9. Are security events logged, monitored, and retained for detection and investigation purposes? (Relevant frameworks: NIST CSF, CIS Controls, ISO 27001, SOC 2, PCI DSS) *

9 - Logging & Monitoring

9.1 Are system or firewall logs stored anywhere (even locally)? *

Yes

No

Follow-up Question

9 - Logging & Monitoring

9.2 Do you review logs when something suspicious happens? *

Yes

No

Follow-up Question

9 - Logging & Monitoring

9.3 Do you use any SIEM or logging tool (e.g., Splunk, ELK, Datadog)? *

Yes

No

Follow-up Question

10 - Backup & Recovery

10. Are backups encrypted, tested, and stored offline/offsite? (Relevant frameworks: NIST CSF, HIPAA, PCI DSS) *

10 - Backup & Recovery

10.1 Are backups stored somewhere other than the main server? *

Yes

No

Follow-up Question

10 - Backup & Recovery

10.2 Have you ever tested recovery from backup (even once)? *

Yes

No

Follow-up Question

10 - Backup & Recovery

10.3 Are backup copies encrypted or password protected? *

Yes

No

Follow-up Question

11 - Cloud Security

11. Are cloud environments (AWS/Azure/GCP) configured per CIS benchmarks with restricted admin access? (Relevant frameworks: SOC 2, ISO 27001, NIST CSF) *

11 - Cloud Security

11.1 Do you use AWS, Azure, or GCP for any services? *

Yes

No

Follow-up Question

11 - Cloud Security

11.2 Are IAM roles and permissions in your cloud environment documented? *

Yes

No

Follow-up Question

11 - Cloud Security

11.3 Have you reviewed any cloud configuration against a benchmark (e.g., CIS)? *

Yes

No

Follow-up Question

12 - Physical Security

12. Are data centers/server rooms secured with access logs, biometrics, or video surveillance? (ISO 27001, SOC 2) *

12 - Physical Security

12.1 Is there any physical lock, camera, or alarm at your data/server rooms? *

Yes

No

Follow-up Question

12 - Physical Security

12.2 Who can access these areas, and is that tracked? *

Yes

No

Follow-up Question

12 - Physical Security

12.3 Have you ever had an audit or walkthrough for physical security? *

Yes

No

Follow-up Question

13 - Mobile Security

13. Are company/employee devices encrypted, remotely wipeable, and blocked from jailbroken/rooted access? (HIPAA, GDPR, NIST 800-171) *

13 - Mobile Security

13.1 Do employees use personal or company-managed devices? *

Yes

No

Follow-up Question

13 - Mobile Security

13.2 Are mobile devices enrolled in an MDM solution? *

Yes

No

Follow-up Question

13 - Mobile Security

13.3 Is there a policy for what apps or networks can be used on mobile devices? *

Yes

No

Follow-up Question

14 - Penetration Testing

14. Are annual penetration tests performed by a third party? (PCI DSS, ISO 27001, NIST 800-53) *

14 - Penetration Testing

14.1 Have you ever run a vulnerability scan or hired an ethical hacker? *

Yes

No

Follow-up Question

14 - Penetration Testing

14.2 Do you know your most critical external-facing systems? *

Yes

No

Follow-up Question

14 - Penetration Testing

14.3 Would you be able to act on findings if they were reported to you? *

Yes

No

Follow-up Question

15 - Compliance Confidence

15. If your business were audited tomorrow, could you confidently demonstrate full compliance without disruption, stress, or risk of fines? *

15 - Compliance Confidence

15.1 Have you ever been asked by a customer or regulator about your compliance? *

Yes

No

Follow-up Question

15 - Compliance Confidence

15.2 Are there any known frameworks that your peers or competitors follow? *

Yes

No

Follow-up Question

15 - Compliance Confidence

15.3 If asked today, could you locate your last audit report or policy deck? *

Yes

No

Follow-up Question

Thanks for taking the quiz!

You’ve taken a great first step toward understanding your compliance posture. Your results are on the way!

I agree to terms & conditions provided by the company. By providing my phone number, I agree to receive text messages from the business.

Find Out Where You Stand on Compliance