1. Written information security policy, reviewed annually?

Yes No / Not sure

Required by every framework. Start with a 5-page doc — refine later.

2. Acceptable use policy all employees sign?

Yes No / Not sure

Covers what's OK / not-OK with company data and devices.

3. Access control review (quarterly)?

Yes No / Not sure

Review who has access to what. Remove stale accounts. SOC 2 mandate.

4. Background checks on employees handling sensitive data?

Yes No / Not sure

Required under SOC 2, HIPAA BAA agreements.

5. Change management process (tracked code deploys)?

Yes No / Not sure

Git history + PR reviews satisfy most auditor requirements.

6. Vendor risk management program?

Yes No / Not sure

SOC 2 questionnaires for all critical vendors.

7. Data classification policy (public, internal, confidential)?

Yes No / Not sure

Even a 1-page classification doc meets the baseline.

8. Encryption standards documented and enforced?

Yes No / Not sure

TLS in transit, AES-256 at rest, key rotation policies.

9. Incident response plan + tabletop exercise yearly?

Yes No / Not sure

Auditors want evidence you've actually walked through a scenario.

10. Business continuity / DR tested annually?

Yes No / Not sure

RTO/RPO documented + a restore you actually did.

11. Audit logging + monitoring for production systems?

Yes No / Not sure

At minimum: auth logs, admin actions, data access.

12. Security awareness training completed by ≥ 95% of staff yearly?

Yes No / Not sure

Required by SOC 2, HIPAA, GDPR. Track completion.

13. Physical security controls documented (if you have an office)?

Yes No / Not sure

Badge access, visitor log, equipment inventory.

Compliance Gap Checker