| AGovernance, Scope & Accountability |
| A-01 |
Identify the executive sponsor responsible for cyber insurance readiness. |
Named executive sponsor and approval record |
Not Reviewed
|
High
|
|
|
|
| A-02 |
Assign a primary technical owner for questionnaire responses and evidence collection. |
Owner list, escalation path, project tracker |
Not Reviewed
|
High
|
|
|
|
| A-03 |
Confirm the legal business name, locations, employee count, and covered entities. |
Corporate records and policy application scope |
Not Reviewed
|
Medium
|
|
|
|
| A-04 |
Document critical business operations, revenue-impacting services, and operational dependencies. |
Business-impact notes and dependency map |
Not Reviewed
|
High
|
|
|
|
| A-05 |
Identify regulated, confidential, financial, health, customer, and employee data handled by the business. |
Data classification summary |
Not Reviewed
|
High
|
|
|
|
| A-06 |
Document internal IT staff, MSP, MSSP, cloud providers, and other technology vendors. |
Vendor list with responsibilities |
Not Reviewed
|
Medium
|
|
|
|
| A-07 |
Confirm the insurance application or renewal deadline and any broker follow-up dates. |
Timeline and submission calendar |
Not Reviewed
|
High
|
|
|
|
| A-08 |
Store the insurer questionnaire, prior responses, endorsements, and requested evidence in a controlled location. |
Controlled document repository |
Not Reviewed
|
High
|
|
|
|
| BQuestionnaire Accuracy & Evidence Readiness |
| B-01 |
Review every questionnaire response against the current technical environment before submission. |
Completed response review and sign-off |
Not Reviewed
|
Critical
|
|
|
|
| B-02 |
Avoid unsupported answers, assumptions, or blanket statements that cannot be validated. |
Evidence references attached to responses |
Not Reviewed
|
Critical
|
|
|
|
| B-03 |
Identify responses that require clarification from the insurer or broker. |
Clarification log |
Not Reviewed
|
Medium
|
|
|
|
| B-04 |
Maintain screenshots, configuration exports, reports, policies, and supporting records for material controls. |
Evidence index |
Not Reviewed
|
High
|
|
|
|
| B-05 |
Record the date each control was validated and the person who validated it. |
Validation register |
Not Reviewed
|
Medium
|
|
|
|
| B-06 |
Document exceptions, compensating controls, planned remediation, and target dates. |
Exception and remediation log |
Not Reviewed
|
High
|
|
|
|
| B-07 |
Confirm that answers are consistent across the application, supporting documents, and internal records. |
Final quality-control review |
Not Reviewed
|
Critical
|
|
|
|
| B-08 |
Retain a final approved copy of the submitted questionnaire and supporting materials. |
Submission archive |
Not Reviewed
|
High
|
|
|
|
| CIdentity, MFA & Access Control |
| C-01 |
Enforce multi-factor authentication for Microsoft 365 and business email users. |
MFA coverage report |
Not Reviewed
|
Critical
|
|
|
|
| C-02 |
Enforce MFA for administrator, privileged, and emergency access accounts. |
Privileged-account MFA evidence |
Not Reviewed
|
Critical
|
|
|
|
| C-03 |
Enforce MFA for VPN, remote-access tools, and remote desktop gateways. |
VPN and remote-access settings |
Not Reviewed
|
Critical
|
|
|
|
| C-04 |
Enforce MFA for cloud applications that store sensitive or business-critical information. |
Cloud application inventory and MFA report |
Not Reviewed
|
High
|
|
|
|
| C-05 |
Require strong authentication for third-party vendors and support providers. |
Vendor-access review |
Not Reviewed
|
High
|
|
|
|
| C-06 |
Disable or restrict legacy authentication protocols that bypass modern controls. |
Legacy-authentication report |
Not Reviewed
|
High
|
|
|
|
| C-07 |
Review inactive, dormant, duplicate, and former-employee accounts. |
Account cleanup report |
Not Reviewed
|
High
|
|
|
|
| C-08 |
Use role-based access and least-privilege principles for users and groups. |
Access matrix and group review |
Not Reviewed
|
High
|
|
|
|
| C-09 |
Review service accounts, shared accounts, and application credentials. |
Service-account inventory |
Not Reviewed
|
High
|
|
|
|
| C-10 |
Document onboarding, role-change, and offboarding procedures. |
Access lifecycle procedure |
Not Reviewed
|
Medium
|
|
|
|
| C-11 |
Review password policies, lockout settings, and self-service password reset controls. |
Identity policy export |
Not Reviewed
|
Medium
|
|
|
|
| C-12 |
Periodically review access for critical systems, cloud platforms, and sensitive data repositories. |
Access-review records |
Not Reviewed
|
High
|
|
|
|
| DPrivileged Access Management |
| D-01 |
Maintain a current inventory of domain, cloud, network, firewall, server, and application administrators. |
Privileged-account inventory |
Not Reviewed
|
Critical
|
|
|
|
| D-02 |
Separate daily-use accounts from privileged administrator accounts. |
Account naming standard and account list |
Not Reviewed
|
High
|
|
|
|
| D-03 |
Restrict privileged access to authorized personnel with documented business need. |
Approval records and role assignments |
Not Reviewed
|
High
|
|
|
|
| D-04 |
Review global administrator roles in Microsoft 365 and Azure. |
Role-assignment report |
Not Reviewed
|
Critical
|
|
|
|
| D-05 |
Use dedicated administrative workstations or hardened access paths where appropriate. |
Administrative-access procedure |
Not Reviewed
|
Medium
|
|
|
|
| D-06 |
Log and review privileged actions on critical systems. |
Audit log configuration and review records |
Not Reviewed
|
High
|
|
|
|
| D-07 |
Protect emergency or break-glass accounts with documented controls and monitoring. |
Emergency-account procedure |
Not Reviewed
|
High
|
|
|
|
| D-08 |
Remove unnecessary local administrator rights from endpoints. |
Endpoint privilege report |
Not Reviewed
|
High
|
|
|
|
| EMicrosoft 365 & Email Security |
| E-01 |
Review Microsoft Entra ID security settings and Conditional Access policies. |
Conditional Access export |
Not Reviewed
|
Critical
|
|
|
|
| E-02 |
Review Exchange Online anti-phishing, anti-spam, and anti-malware protections. |
Email-security policy export |
Not Reviewed
|
High
|
|
|
|
| E-03 |
Configure and validate SPF, DKIM, and DMARC for business domains. |
DNS records and DMARC validation |
Not Reviewed
|
High
|
|
|
|
| E-04 |
Review automatic forwarding, mailbox rules, delegated access, and suspicious inbox activity. |
Mailbox-rule and forwarding report |
Not Reviewed
|
High
|
|
|
|
| E-05 |
Review external sharing settings for SharePoint, OneDrive, and Teams. |
Sharing configuration report |
Not Reviewed
|
High
|
|
|
|
| E-06 |
Enable and retain appropriate audit logs for identity, email, collaboration, and administrative activities. |
Audit-log settings and retention evidence |
Not Reviewed
|
High
|
|
|
|
| E-07 |
Review risky users, risky sign-ins, impossible travel, and suspicious login activity. |
Identity protection review |
Not Reviewed
|
High
|
|
|
|
| E-08 |
Review administrator roles, app registrations, enterprise applications, and OAuth consent. |
Application and role inventory |
Not Reviewed
|
High
|
|
|
|
| E-09 |
Confirm appropriate licensing and security tooling for the organization’s risk profile. |
License and security-tool inventory |
Not Reviewed
|
Medium
|
|
|
|
| E-10 |
Document email incident response steps for phishing, compromised accounts, and fraudulent payment requests. |
Email incident playbook |
Not Reviewed
|
High
|
|
|
|
| FEndpoint Security, EDR & Device Control |
| F-01 |
Maintain an accurate inventory of workstations, laptops, servers, and mobile devices. |
Device inventory |
Not Reviewed
|
High
|
|
|
|
| F-02 |
Deploy antivirus and endpoint detection and response protection to supported endpoints. |
EDR coverage report |
Not Reviewed
|
Critical
|
|
|
|
| F-03 |
Review endpoints that are offline, unmanaged, unsupported, or missing protection. |
Coverage exception report |
Not Reviewed
|
Critical
|
|
|
|
| F-04 |
Monitor endpoint alerts and document the escalation process. |
Alert-handling procedure |
Not Reviewed
|
High
|
|
|
|
| F-05 |
Apply disk encryption to laptops and other portable devices that store business data. |
Encryption compliance report |
Not Reviewed
|
High
|
|
|
|
| F-06 |
Restrict unauthorized software installation and risky browser extensions where appropriate. |
Application-control settings |
Not Reviewed
|
Medium
|
|
|
|
| F-07 |
Review local administrator privileges and remove unnecessary elevated access. |
Local admin review |
Not Reviewed
|
High
|
|
|
|
| F-08 |
Use screen locking, secure configurations, and device hardening standards. |
Endpoint baseline documentation |
Not Reviewed
|
Medium
|
|
|
|
| F-09 |
Document lost-device, stolen-device, and remote-wipe procedures. |
Mobile-device incident procedure |
Not Reviewed
|
Medium
|
|
|
|
| F-10 |
Retire or isolate unsupported operating systems and obsolete devices. |
Lifecycle and replacement plan |
Not Reviewed
|
High
|
|
|
|
| GPatching & Vulnerability Reduction |
| G-01 |
Document a patch-management process for operating systems, applications, servers, and network devices. |
Patch-management procedure |
Not Reviewed
|
High
|
|
|
|
| G-02 |
Apply critical security updates within defined risk-based timelines. |
Patch compliance reports |
Not Reviewed
|
Critical
|
|
|
|
| G-03 |
Track exceptions for systems that cannot be patched promptly. |
Exception register and compensating controls |
Not Reviewed
|
High
|
|
|
|
| G-04 |
Perform recurring vulnerability scans for internal and internet-facing assets. |
Recent vulnerability scan reports |
Not Reviewed
|
High
|
|
|
|
| G-05 |
Prioritize remediation by severity, exploitability, exposure, and business impact. |
Remediation tracker |
Not Reviewed
|
High
|
|
|
|
| G-06 |
Update firewall, router, switch, wireless, VPN, and security-appliance firmware. |
Firmware inventory and update records |
Not Reviewed
|
High
|
|
|
|
| G-07 |
Review unsupported software, end-of-life systems, and obsolete applications. |
Technology lifecycle inventory |
Not Reviewed
|
High
|
|
|
|
| G-08 |
Validate remediation of high-risk findings with rescans or follow-up review. |
Closure evidence |
Not Reviewed
|
High
|
|
|
|
| G-09 |
Track externally exposed services and remove unnecessary exposure. |
External attack-surface inventory |
Not Reviewed
|
Critical
|
|
|
|
| G-10 |
Document vulnerability ownership, deadlines, and escalation procedures. |
Remediation governance record |
Not Reviewed
|
Medium
|
|
|
|
| HFirewall, VPN, Network & Remote Access |
| H-01 |
Maintain a current network diagram showing firewalls, routers, switches, wireless networks, VPNs, and major systems. |
Current network diagram |
Not Reviewed
|
High
|
|
|
|
| H-02 |
Review firewall rules and remove obsolete, duplicate, broad, or unnecessary access. |
Firewall-rule review report |
Not Reviewed
|
Critical
|
|
|
|
| H-03 |
Review NAT rules, port forwarding, public IP exposure, and published services. |
External exposure inventory |
Not Reviewed
|
Critical
|
|
|
|
| H-04 |
Restrict remote desktop exposure and avoid direct internet-facing RDP access. |
Remote-access validation |
Not Reviewed
|
Critical
|
|
|
|
| H-05 |
Require secure VPN or controlled remote-access methods with MFA. |
VPN configuration evidence |
Not Reviewed
|
Critical
|
|
|
|
| H-06 |
Review third-party vendor remote access and limit it by business need. |
Vendor remote-access register |
Not Reviewed
|
High
|
|
|
|
| H-07 |
Enable firewall logging, alerting, and periodic review. |
Firewall logging configuration |
Not Reviewed
|
High
|
|
|
|
| H-08 |
Use network segmentation for sensitive systems, servers, backups, and critical operations where appropriate. |
Segmentation diagram and rule review |
Not Reviewed
|
High
|
|
|
|
| H-09 |
Review wireless security, guest access, encryption standards, and administrative passwords. |
Wireless configuration review |
Not Reviewed
|
Medium
|
|
|
|
| H-10 |
Change default credentials and restrict management interfaces on network devices. |
Network-device hardening checklist |
Not Reviewed
|
High
|
|
|
|
| H-11 |
Review DNS filtering, web filtering, and protective gateway controls where used. |
Gateway-security settings |
Not Reviewed
|
Medium
|
|
|
|
| H-12 |
Document firewall changes, approvals, and periodic recertification. |
Change-management records |
Not Reviewed
|
Medium
|
|
|
|
| IBackup, Recovery & Business Continuity |
| I-01 |
Identify systems, applications, cloud services, and data that require backup or recovery planning. |
Backup scope inventory |
Not Reviewed
|
Critical
|
|
|
|
| I-02 |
Maintain protected backups with appropriate isolation from production credentials and ransomware exposure. |
Backup architecture and access review |
Not Reviewed
|
Critical
|
|
|
|
| I-03 |
Use offsite, immutable, offline, or logically separated backup options where appropriate. |
Backup protection evidence |
Not Reviewed
|
Critical
|
|
|
|
| I-04 |
Restrict backup-administration access and require strong authentication. |
Backup admin account review |
Not Reviewed
|
High
|
|
|
|
| I-05 |
Document backup frequency, retention, and recovery objectives. |
Backup policy and schedule |
Not Reviewed
|
High
|
|
|
|
| I-06 |
Perform recurring restore tests and retain the results. |
Restore-test records |
Not Reviewed
|
Critical
|
|
|
|
| I-07 |
Confirm that Microsoft 365, cloud workloads, databases, and line-of-business systems are addressed. |
Application recovery matrix |
Not Reviewed
|
High
|
|
|
|
| I-08 |
Document recovery priorities for critical systems and business processes. |
Recovery-priority list |
Not Reviewed
|
High
|
|
|
|
| I-09 |
Maintain business-continuity procedures for major outages, ransomware, and technology failures. |
Business-continuity plan |
Not Reviewed
|
High
|
|
|
|
| I-10 |
Review backup monitoring, failed-job alerts, storage capacity, and escalation procedures. |
Backup-monitoring report |
Not Reviewed
|
High
|
|
|
|
| I-11 |
Protect backup documentation and recovery credentials in a controlled location. |
Recovery documentation register |
Not Reviewed
|
Medium
|
|
|
|
| I-12 |
Review recovery dependencies such as internet connectivity, hardware, licensing, vendors, and facility access. |
Dependency checklist |
Not Reviewed
|
Medium
|
|
|
|
| JIncident Response & Ransomware Readiness |
| J-01 |
Maintain a written incident response plan with roles, contacts, and escalation procedures. |
Incident response plan |
Not Reviewed
|
Critical
|
|
|
|
| J-02 |
Define the process for isolating affected systems, disabling accounts, and preserving evidence. |
Containment playbook |
Not Reviewed
|
Critical
|
|
|
|
| J-03 |
Document ransomware response steps, recovery priorities, and executive decision paths. |
Ransomware playbook |
Not Reviewed
|
Critical
|
|
|
|
| J-04 |
Maintain current contact information for leadership, IT, legal counsel, broker, carrier, vendors, and forensic resources. |
Incident contact list |
Not Reviewed
|
High
|
|
|
|
| J-05 |
Define internal and external communication procedures for suspected incidents. |
Communication plan |
Not Reviewed
|
High
|
|
|
|
| J-06 |
Conduct periodic tabletop exercises for realistic incident scenarios. |
Tabletop agenda and after-action report |
Not Reviewed
|
High
|
|
|
|
| J-07 |
Train employees to report suspicious activity quickly. |
Reporting procedure and training records |
Not Reviewed
|
Medium
|
|
|
|
| J-08 |
Define evidence-preservation procedures for logs, devices, email, and cloud systems. |
Evidence-preservation checklist |
Not Reviewed
|
High
|
|
|
|
| J-09 |
Document lessons learned and remediation actions after security events. |
Post-incident review records |
Not Reviewed
|
Medium
|
|
|
|
| J-10 |
Review cyber insurance notification requirements with qualified insurance and legal advisors. |
Notification contact sheet and advisory notes |
Not Reviewed
|
High
|
|
|
|
| KLogging, Monitoring & Threat Detection |
| K-01 |
Identify security-relevant logs for firewalls, VPNs, endpoints, servers, identity platforms, email, and cloud services. |
Logging inventory |
Not Reviewed
|
High
|
|
|
|
| K-02 |
Retain logs for an appropriate period based on operational, investigative, and contractual needs. |
Retention configuration |
Not Reviewed
|
High
|
|
|
|
| K-03 |
Monitor endpoint and security alerts and document response expectations. |
Monitoring and escalation procedure |
Not Reviewed
|
High
|
|
|
|
| K-04 |
Review failed logins, anomalous access, risky sign-ins, and privileged activity. |
Periodic security review records |
Not Reviewed
|
High
|
|
|
|
| K-05 |
Review firewall, VPN, and remote-access logs for suspicious activity. |
Network-log review records |
Not Reviewed
|
High
|
|
|
|
| K-06 |
Centralize logs or use SIEM capabilities where appropriate for the environment. |
SIEM or centralized logging evidence |
Not Reviewed
|
Medium
|
|
|
|
| K-07 |
Protect logs from unauthorized modification or deletion. |
Log-access controls |
Not Reviewed
|
Medium
|
|
|
|
| K-08 |
Define alert severity, ownership, escalation timing, and documentation requirements. |
Alert matrix |
Not Reviewed
|
Medium
|
|
|
|
| LData Protection & Encryption |
| L-01 |
Identify sensitive data locations across servers, endpoints, cloud platforms, email, and third-party systems. |
Data-location inventory |
Not Reviewed
|
High
|
|
|
|
| L-02 |
Use encryption for sensitive data in transit and at rest where appropriate. |
Encryption settings and validation |
Not Reviewed
|
High
|
|
|
|
| L-03 |
Apply laptop and portable-device encryption. |
Device encryption compliance report |
Not Reviewed
|
High
|
|
|
|
| L-04 |
Restrict access to sensitive file shares, databases, and cloud repositories. |
Permissions review |
Not Reviewed
|
High
|
|
|
|
| L-05 |
Review external sharing, guest access, public links, and file-transfer practices. |
External sharing report |
Not Reviewed
|
High
|
|
|
|
| L-06 |
Document secure data retention and disposal procedures. |
Retention and disposal policy |
Not Reviewed
|
Medium
|
|
|
|
| L-07 |
Review removable-media controls and portable-storage risks. |
Removable-media procedure |
Not Reviewed
|
Medium
|
|
|
|
| L-08 |
Document data-breach escalation paths and affected-data assessment steps. |
Data incident procedure |
Not Reviewed
|
High
|
|
|
|
| MVendor, MSP & Third-Party Risk |
| M-01 |
Maintain a list of MSPs, MSSPs, cloud providers, software vendors, payment providers, and critical third parties. |
Third-party inventory |
Not Reviewed
|
High
|
|
|
|
| M-02 |
Document which vendors access systems, networks, cloud platforms, or sensitive data. |
Vendor access matrix |
Not Reviewed
|
High
|
|
|
|
| M-03 |
Require appropriate authentication and least-privilege access for vendors. |
Vendor access-control review |
Not Reviewed
|
High
|
|
|
|
| M-04 |
Remove inactive vendor accounts and review shared support credentials. |
Vendor-account cleanup report |
Not Reviewed
|
High
|
|
|
|
| M-05 |
Review contracts for security responsibilities, incident notification, and support expectations. |
Contract review notes |
Not Reviewed
|
Medium
|
|
|
|
| M-06 |
Document how third-party incidents will be reported, escalated, and coordinated. |
Vendor incident procedure |
Not Reviewed
|
Medium
|
|
|
|
| M-07 |
Periodically review critical vendors based on data access and operational dependency. |
Vendor review schedule |
Not Reviewed
|
Medium
|
|
|
|
| M-08 |
Document backup, recovery, and continuity dependencies involving vendors. |
Vendor continuity checklist |
Not Reviewed
|
Medium
|
|
|
|
| NSecurity Awareness & Workforce Controls |
| N-01 |
Provide recurring security-awareness training for employees. |
Training records |
Not Reviewed
|
High
|
|
|
|
| N-02 |
Include phishing, password safety, MFA fatigue, suspicious links, payment fraud, and reporting procedures. |
Training curriculum |
Not Reviewed
|
High
|
|
|
|
| N-03 |
Provide role-specific guidance for executives, finance staff, administrators, and employees handling sensitive data. |
Role-based training records |
Not Reviewed
|
Medium
|
|
|
|
| N-04 |
Document onboarding and offboarding security steps. |
HR and IT checklist |
Not Reviewed
|
High
|
|
|
|
| N-05 |
Review employee reporting channels for suspected phishing, lost devices, and suspicious activity. |
Reporting instructions |
Not Reviewed
|
Medium
|
|
|
|
| N-06 |
Conduct phishing-awareness exercises where appropriate. |
Exercise summary and remediation notes |
Not Reviewed
|
Medium
|
|
|
|
| N-07 |
Require employees to acknowledge acceptable-use and security policies. |
Policy acknowledgment records |
Not Reviewed
|
Medium
|
|
|
|
| N-08 |
Train finance and leadership teams on business email compromise and payment-change verification. |
Finance fraud-prevention procedure |
Not Reviewed
|
High
|
|
|
|
| OCloud, Azure & Hosted Systems |
| O-01 |
Maintain an inventory of Azure, cloud, SaaS, hosted, and externally managed systems. |
Cloud-service inventory |
Not Reviewed
|
High
|
|
|
|
| O-02 |
Review cloud administrator roles, MFA coverage, privileged access, and guest accounts. |
Cloud identity review |
Not Reviewed
|
Critical
|
|
|
|
| O-03 |
Review exposed workloads, public IPs, storage, databases, and internet-facing services. |
Cloud exposure report |
Not Reviewed
|
Critical
|
|
|
|
| O-04 |
Review cloud logging, monitoring, alerting, and retention settings. |
Cloud logging evidence |
Not Reviewed
|
High
|
|
|
|
| O-05 |
Review storage permissions, public access, encryption, and data-sharing settings. |
Cloud storage review |
Not Reviewed
|
High
|
|
|
|
| O-06 |
Document backup and recovery arrangements for cloud workloads and SaaS data. |
Cloud recovery matrix |
Not Reviewed
|
High
|
|
|
|
| O-07 |
Review third-party integrations, service principals, application registrations, and secrets. |
Integration inventory |
Not Reviewed
|
High
|
|
|
|
| O-08 |
Apply secure configuration baselines and document remediation for material findings. |
Cloud hardening checklist |
Not Reviewed
|
Medium
|
|
|
|
| PPolicies, Documentation & Final Review |
| P-01 |
Maintain written policies for access control, passwords, MFA, acceptable use, patching, backups, incident response, and business continuity. |
Policy library |
Not Reviewed
|
High
|
|
|
|
| P-02 |
Maintain current inventories for users, devices, servers, applications, vendors, cloud services, and network equipment. |
Inventory records |
Not Reviewed
|
High
|
|
|
|
| P-03 |
Maintain current network diagrams and data-flow or dependency diagrams where needed. |
Architecture documentation |
Not Reviewed
|
Medium
|
|
|
|
| P-04 |
Document security exceptions, compensating controls, owners, deadlines, and remediation status. |
Exception register |
Not Reviewed
|
High
|
|
|
|
| P-05 |
Review the completed checklist with leadership, IT, and authorized stakeholders. |
Review meeting notes |
Not Reviewed
|
High
|
|
|
|
| P-06 |
Prioritize critical gaps before the application or renewal deadline. |
Prioritized remediation plan |
Not Reviewed
|
Critical
|
|
|
|
| P-07 |
Confirm that supporting evidence is organized and accessible to authorized reviewers. |
Evidence package |
Not Reviewed
|
High
|
|
|
|
| P-08 |
Obtain final internal approval before submitting questionnaire responses. |
Final sign-off |
Not Reviewed
|
Critical
|
|
|
|
| P-09 |
Retain the final submission, supporting documents, and remediation plan for future renewals. |
Controlled archive |
Not Reviewed
|
High
|
|
|
|
| P-10 |
Schedule periodic follow-up reviews so readiness work continues after submission. |
Follow-up calendar |
Not Reviewed
|
Medium
|
|
|
|
