Cyber-hygiene self-assessment

18 questions mapped to the six NIST CSF 2.0 functions. Answer honestly — the result is a maturity snapshot, not a pass/fail.

Govern

Leadership, policy, and risk ownership.

Has leadership assigned clear ownership and accountability for cybersecurity risk?

Do you have written security policies that staff know about and that are reviewed periodically?

Are cybersecurity risks weighed in your wider business and supplier decisions?

Knowing your assets, data, and suppliers.

Do you keep an up-to-date inventory of your hardware, software, and cloud services?

Do you know where your most sensitive data lives and who can access it?

Do you assess a third-party vendor's security before relying on them?

Safeguards that prevent incidents.

Is multi-factor authentication enforced on email, admin, and remote-access accounts?

Are systems and software patched on a defined, regular schedule?

Do staff receive regular security-awareness training, such as phishing drills?

Spotting that something has gone wrong.

Do you collect and review logs or alerts that could reveal an incident?

Do you run endpoint protection that actively flags malicious activity?

Would you notice unauthorised access to key systems in a timely way?

Acting when an incident occurs.

Do you have a documented incident-response plan that names who does what?

Have you tested or rehearsed your response to a security incident?

Do you know your legal and notification obligations if data is breached?

Restoring operations afterwards.

Do you take regular backups of critical data and systems?

Have you tested that you can actually restore from those backups?

Do you have a plan to resume operations after a major disruption?

0 / 18 answered