D1
Governance & Risk Management
Leadership accountability, risk framework, and security policies
Does your organisation have a documented information security policy approved by senior management?
Look for a formal security policy that is reviewed regularly, approved by the board or senior leadership, and communicated to all staff. CE requires defining scope; ISO 27001 Clause 5.2 requires an ISMS policy; CAF A1 requires governance; DORA Art.5 requires ICT risk governance.
Do you maintain a formal risk assessment process that identifies, analyses, and treats information security risks?
A risk register with likelihood/impact scoring, documented risk treatment plans, and regular reviews. ISO 27001 Clause 6.1; CAF A2 risk management; DORA Art.6 ICT risk management framework.
Are information security roles and responsibilities clearly defined and assigned?
Named individuals responsible for security governance, a CISO or equivalent role, and clear accountability chains. ISO A.5.1-2; CAF A1 governance; DORA Art.5 management body responsibilities.
Do you maintain an up-to-date inventory of information assets including hardware, software, data, and services?
A configuration management database or asset register covering critical systems. ISO A.5.9-10; CAF A3 asset management; DORA Art.7 ICT asset identification.
Is there a security awareness and training programme for all staff, including role-specific training for technical teams?
Regular training (at least annually), phishing simulations, and tailored content for developers and administrators. ISO 7.2-3, A.6.3; CAF A4; DORA Art.13 learning and evolving.
D2
Access Control
Identity management, authentication, and privilege control
D3
Network & Boundary Security
Firewalls, network segmentation, and perimeter defences
D4
Secure Configuration
Hardening, baseline configurations, and change management
D5
Patch & Update Management
Vulnerability management, patching cadence, and software lifecycle
D6
Incident Response
Detection, response, recovery, and reporting capabilities
D7
Third-Party & Supply Chain
Vendor risk management, contracts, and ongoing oversight