Complete this privately on your device, no sign-in, no tracking, no data collection.
Business Profile
Business size
1 to 9 people
10 to 49 people
50 to 249 people
Regulated data
None or minimal
Some customer PII
Payment data, health data, or highly sensitive info
Identity and Access
Unique accounts for staff
All staff have separate logins
Most have separate logins
Some accounts are shared
MFA on email and critical apps
Enabled for all
Enabled for some
Not enabled
Devices
Device updates
Automatic updates enabled
Updates applied monthly
Updates are inconsistent
Disk encryption on laptops
Enabled on all laptops
Enabled on some laptops
Not enabled
Network
Router and Wi-Fi security
Modern router, strong Wi-Fi, guest network separated
Secure Wi-Fi, but limited segmentation
Default settings or weak Wi-Fi controls
Remote access
VPN or zero-trust in place
Limited remote access with passwords
Open remote access or unknown
Data Protection
Backups with version history
Automated backups, versioning, tested restore
Backups exist but not tested recently
No reliable backups
SaaS data backups
Separate backups for SaaS tools
Some SaaS exports taken
Relying on vendor only
Policies and Training
Written baseline policies
Core policies exist and are updated
Some policies exist
No written policies
Security awareness
Quarterly training with phishing practice
Annual training only
No training
Vendors and Email Security
Vendor risk checks
Reviewed and approved vendors
Basic checks for major vendors
No vendor review process
Email authentication (SPF, DKIM, DMARC)
All configured correctly
Some configured
Not configured or unknown
Audit & Compliance
Written security policies
Documented and reviewed annually
Partially documented or outdated
No written policies in place
Access reviews and permissions audits
Performed quarterly
Performed occasionally
Not performed
Incident response plan
Documented and tested annually
Draft exists but not tested
No defined plan
Regulatory obligations (GDPR, HIPAA, PCI, etc.)
Mapped and monitored for changes
Partially identified, not consistently reviewed
Unknown or unmanaged
Security Controls
Endpoint protection (AV/EDR)
Deployed on all endpoints
Deployed on most endpoints
Not deployed or unknown
Admin privileges
Least privilege with approval process
Some restrictions, not consistent
Users have admin by default
Logging and monitoring
Centralized logging with alerting
Logs retained locally, spot checks
No logging or monitoring
Secure configuration baseline
Hardened baselines applied (e.g., CIS)
Some hardening, not standardized
Default configurations
Vulnerability Management
Asset inventory
Complete inventory of hardware and software
Partial inventory
No inventory
Vulnerability scanning
Automated monthly scanning
Ad hoc or quarterly scanning
No scanning
Patch remediation SLAs
Critical within 14 days, others within 30–60
Targets exist but not enforced
No defined SLAs
External exposure checks
Regular checks for exposed services/domains
Occasional checks
No checks