Powered by

# Assessments Checklist

Use this checklist to confirm that the company has completed the key assessment work before moving into Identify, Protect, Detect, Respond, Recover, Review, and Educate.

The goal of Assess is to understand the company’s real cybersecurity risk, current obligations, threat exposure, and maturity gaps before deciding what to fix first.

# Assess Overview Checklist

☐ Assign an executive sponsor for the cybersecurity assessment.

☐ Assign an internal owner to coordinate the Assess section.

☐ Confirm the assessment scope, including departments, systems, vendors, locations, and business processes.

☐ Identify who must participate, including leadership, IT, MSP, finance, HR, operations, sales, legal, and department owners.

☐ Create one central place to store assessment notes, registers, evidence, and open questions.

☐ Record assumptions, unknowns, and areas that need further investigation.

☐ Set a target completion date for the Assess section.

# Understand Common Attack Types Checklist

☐ Review the most common cyberattack types affecting SMEs.

☐ Identify which attack types are most relevant to the company.

☐ Create realistic company-specific attack scenarios.

☐ Include phishing, social engineering, business email compromise, invoice fraud, stolen credentials, ransomware, unpatched systems, cloud compromise, SaaS compromise, and vendor compromise.

☐ Identify which teams, roles, systems, and business processes would likely be targeted.

☐ Map each attack type to possible business impact.

☐ Review what controls already exist against each attack type.

☐ Record missing, weak, or untested controls.

☐ Identify the top attack scenarios most likely to harm the company.

☐ Brief leadership on the most relevant attack scenarios.

# Understand the Current Threat Environment Checklist

☐ Assign ownership for monitoring current cybersecurity threats.

☐ Create a trusted source list for advisories, vendor bulletins, government alerts, threat research, and cybersecurity news.

☐ Create a recurring schedule for reviewing current threats.

☐ Build a technology watchlist of the systems the company uses.

☐ Include email, Microsoft 365 or Google Workspace, VPN, firewall, website CMS, endpoint protection, backup platform, accounting, payroll, CRM, cloud storage, and key SaaS tools.

☐ Track current threats by business relevance.

☐ Define threat triggers that require internal review.

☐ Include triggers for known exploited vulnerabilities, urgent vendor advisories, vendor breaches, ransomware activity, SaaS compromise, and threats affecting company technology.

☐ Review relevant threats with the MSP, IT provider, or internal IT owner.

☐ Translate current threat trends into plain business language for leadership.

☐ Record open questions that need follow-up in risk assessment, Identify, or Protect.

☐ Provide leadership with a short current threat environment summary.

# Gather Compliance and Contractual Requirements Checklist

☐ Assign an owner for compliance and contractual requirements collection.

☐ Create a central folder for contracts, insurance documents, security questionnaires, policies, regulatory notes, and supporting evidence.

☐ Collect customer contracts, vendor contracts, SaaS agreements, data processing agreements, privacy addendums, security addendums, and service agreements.

☐ Collect cyber insurance policies, applications, renewal questionnaires, exclusions, and incident reporting instructions.

☐ Collect customer security questionnaires and past responses.

☐ Identify laws, regulations, industry rules, or sector requirements that may apply.

☐ Identify obligations related to privacy, payment card data, health data, financial data, employment data, government contracts, customer data, or confidential business information.

☐ Extract cybersecurity, privacy, incident reporting, audit, backup, access, encryption, and data handling requirements into a requirements register.

☐ Mark each requirement as mandatory, expected, recommended, or unclear.

☐ Identify evidence needed to prove each major requirement.

☐ Flag conflicting, unclear, or high-risk obligations for legal, insurer, customer, or leadership review.

☐ Create a review schedule for keeping requirements current.

# Conduct a Risk Assessment Checklist

☐ Assign a risk assessment owner.

☐ Confirm the business scope of the risk assessment.

☐ Identify the company’s most critical business processes.

☐ Identify the systems, data, users, vendors, and accounts connected to those processes.

☐ Identify realistic risk scenarios based on common attack types and the current threat environment.

☐ Identify existing controls for each major risk scenario.

☐ Identify where controls are missing, weak, informal, untested, or only partially implemented.

☐ Estimate likelihood for each major risk scenario.

☐ Estimate business impact for each major risk scenario.

☐ Consider financial loss, operational disruption, legal exposure, customer trust, data exposure, recovery time, and reputational damage.

☐ Assign a risk rating for each major scenario.

☐ Decide whether each risk should be reduced, transferred, avoided, or accepted.

☐ Assign an owner and next action for each important risk.

☐ Create a risk register.

☐ Review top risks with leadership.

☐ Confirm leadership agreement on priority risks.

# Measure Current Security Maturity Gap Checklist

☐ Choose a maturity baseline or practical control reference.

☐ Define the control areas to measure.

☐ Include identity and access, backups, systems hardening, patching, endpoint protection, email protection, cloud/SaaS protection, network protection, logging, incident response, training, vendor access, and management ownership.

☐ Use a simple maturity scale.

☐ Score the current state for each control area.

☐ Define the target state for each control area.

☐ Document the gap between current and target maturity.

☐ Collect available evidence for each control area.

☐ Identify controls that exist only on paper.

☐ Identify quick wins.

☐ Identify higher-effort improvements that require budget, planning, or outside support.

☐ Record missing evidence, unclear ownership, exceptions, and unresolved items.

☐ Create a maturity gap tracker.

☐ Prepare a short maturity summary for leadership.

☐ Confirm which maturity gaps should become priority improvement actions.

# Final Assess Section Outputs

☐ Assessment owner and executive sponsor assigned.

☐ Assessment scope defined.

☐ Common attack scenarios identified.

☐ Current threat environment reviewed.

☐ Trusted cybersecurity source list created.

☐ Technology watchlist created.

☐ Compliance and contractual requirements collected.

☐ Requirements register created.

☐ Cyber insurance requirements reviewed.

☐ Risk assessment completed.

☐ Risk register created.

☐ Current security maturity measured.

☐ Target security maturity defined.

☐ Maturity gap tracker created.

☐ Quick wins identified.

☐ High-priority improvements identified.

☐ Open questions documented.

☐ Leadership briefing completed.

☐ Priority actions approved for the next sections of the playbook.

© Copyright 2026. All rights reserved.