Section 00
Client Information
Organisation details, branch offices, audit type, scope
Instructions: Complete all client information before starting the audit. This questionnaire supports on-site and remote (video call) audits. Answer all sections for the Head Office first, then use Notes fields for branch-specific differences.
Organisation Details
Audit Details
Audit Scope
Section 01
Domain Management
Domains, registrars, DNS, renewal, MFA
0
answered
Domain Inventory & Ownership
D01List all company-owned domain names, registrars, expiry dates, and registered owners.Critical
D02What is the Primary Domain Name used for official communications?Critical
D03Which domain is used for official email communication?Critical
D04Are all domains registered under the company's legal entity (not individual names)?Critical
D05Are all domains consolidated under a single registrar?High
D06Is MFA enabled on all domain registrar and DNS control panel accounts?Critical
D07Is auto-renewal enabled? Are renewal reminder alerts configured?Critical
D08Are there known issues with domain spoofing or impersonation attacks?Critical
DNS & Technical
D09Are DNS records (A, MX, SPF, DKIM, DMARC, CNAME) documented and consistent?High
D10Is there a documented domain management process with access controls and escalation path?High
D11Who manages the company's domain/s?High
Section 02
Website Hosting
SSL, admin access, WAF, backups, CMS
0
answered
Website Inventory
W01List all company websites and web applications.Critical
W02Who manages the company's website/s?Critical
W03Website Hosting Service Provider?High
W04Which framework/technology was used to develop the website/s?High
Access & Authentication
W05Does the company have direct admin access to all website control panels? Are credentials documented?Critical
W06Is MFA enabled for all website admin logins (CMS, hosting panel, FTP/SFTP)?Critical
Security
W07Are valid SSL/TLS certificates on all websites? Is HTTP redirected to HTTPS?Critical
W08Are security updates (CMS, plugins, themes) applied on a defined schedule?Critical
W09Is a Web Application Firewall (WAF) deployed for public-facing websites?High
Backups & Integrations
W10Are automated backups configured (files + database)? Is an offline copy maintained?Critical
W11What Third-Party Service Integrations are connected to the website?High
W12Is the website architecture documented? Are integrations listed with credentials managed securely?High
Analytics & SEO
W13Is website traffic monitored via analytics? Are reports reviewed?Medium
W14Is SEO configured (meta tags, XML sitemaps, robots.txt)?Medium
Section 03
Email Hosting
SPF/DKIM/DMARC, filtering, DLP, archiving
0
answered
Platform & Accounts
E01What email hosting platform is in use?Critical
E02Who is the Email Hosting Service Provider? Who manages it?Critical
E03What is the annual cost per user for the current email plan?High
E04How many active email accounts? Are group/distribution lists or shared mailboxes configured?High
E05Does the company have direct admin access to the email console?Critical
Security Configuration
E06Are SPF, DKIM, and DMARC records correctly configured? Is DMARC set to quarantine/reject?Critical
E07Are there known issues with email spoofing or domain impersonation?Critical
E08Is a strong password policy enforced for all email accounts?Critical
E09Is MFA / 2FA enabled on all email accounts?Critical
E10Is inbound email filtering active for spam, phishing, and malware?Critical
E11Is outbound DLP configured to detect/block sensitive data via email?Critical
Configuration & Usability
E12What is the allowed maximum email attachment size?Medium
E13Are personal Gmail or external accounts used for company business?High
Compliance & Continuity
E14Are audit logs available for email access and activity?High
E15Is email archiving/journaling enabled for compliance and legal discovery?High
E16Are automated email backups scheduled and tested?High
E17Have there been recent incidents of email downtime or latency?High
E18Is hybrid email hosting in use or being considered?Medium
Section 04
Network Infrastructure
Firewall, VLANs, VPN, WiFi, ISP, monitoring
0
answered
Network Overview
N01What type of network is deployed?High
N02What type of LAN connectivity is used?High
N03How many computers/endpoints (laptops, desktops, servers) are on the network?High
N04How many network switches are in use?High
N05What are the models/brands of network switches in use?High
N06Who are the ISPs and what connectivity do they provide?High
Firewall & Perimeter
N07Is a hardware or software firewall deployed and actively in use?Critical
N08Is there an active subscription for security services on the Firewall (AV, IPS, content filtering)?Critical
N09When does the Firewall security subscription expire?Critical
N10Are firewall security policies defined and configured (inbound/outbound rules, access controls)?Critical
N11Are Intrusion Detection/Prevention Systems (IDS/IPS) in place and enabled?Critical
Segmentation & VPN
N12Is network traffic segmented using VLANs? Are critical servers, users, and guests separated?Critical
N13Is there a DMZ configured for public-facing services?High
N14Is a VPN deployed for remote access? Is MFA required for VPN connections?Critical
N15Are critical systems segregated from user and guest networks?Critical
ISP Redundancy
N16Is there load balancing or automatic failover between ISPs?High
IP Addressing & DHCP
N17What is the LAN IP addressing scheme / private IP ranges?High
N18Logical Network Addressing (private IPs for servers, workstations, printers)?High
N19Are DHCP reservations / MAC bindings configured for critical devices?High
WiFi
N20List all company SSIDs currently active and visible.High
N21List all WiFi devices (access points, routers, mesh nodes).High
N22Is there a separate SSID for guest access, isolated from corporate traffic?High
N23Are WiFi passwords strong and rotated periodically?High
N24Is there a WiFi coverage heatmap available for the office?Medium
N25Are network printers segmented and access-controlled?Medium
Monitoring & Hardening
N26Are bandwidth usage and bottlenecks monitored regularly?High
N27Are bandwidth consumption limits set or enforced?Medium
N28Are firmware and OS versions up-to-date on all network devices?High
N29Are configuration backups taken regularly for all network devices?High
N30Are changes to network configurations logged and audited?High
N31Are default system passwords changed upon setup for all network devices?Critical
N32Is 2FA enforced for administrative access to network devices?High
N33Who has administrative access to networking devices?High
N34Any additional network-related information to share.Medium
Section 05
Hardware Management
Inventory, encryption, lifecycle, helpdesk
0
answered
Asset Inventory
H01Is a centralised hardware asset inventory maintained with unique asset IDs/barcodes?High
H02Are hardware assets categorised by type (servers, desktops, laptops, printers)?High
H03Are purchase date, warranty, and vendor details recorded for all devices?High
H04What hardware is provided by the company to users?High
H05What is the standard specification for desktops and laptops?High
Servers & Infrastructure
H06What type of servers do you have on-premise?High
H07Are servers rack-mounted, labelled, and physically secured? Is RAID configured?High
Security & Access
H08Is endpoint encryption (BitLocker/FileVault) enabled on all laptops and portable devices?Critical
H09Are local administrator privileges restricted to IT staff only?Critical
H10Are hardware assets securely locked and tracked?High
Lifecycle & Policies
H11Is there a hardware lifecycle/replacement policy (3-5 year cycle)?High
H12Is there a documented hardware procurement policy with approval workflow?High
H13Are preventive maintenance routines in place?High
H14Are old devices wiped/data destroyed before disposal or reassignment?Critical
H15Is there an e-waste policy with certified recyclers?High
H16Is there a defined theft/loss reporting process?High
H17Is there an onboarding/exit policy for IT asset allocation and recovery?High
Helpdesk & Support
H18Is there an IT Helpdesk/Ticketing System to track user-reported issues?High
H19Who manages and supports IT Hardware?High
H20Is there an escalation matrix shared by the IT Service Provider?High
H21Are hardware needs reviewed periodically by the IT team or vendor?High
H22Is user feedback on hardware performance collected?Medium
H23Are reported hardware/IT issues analysed regularly for patterns?Medium
Section 06
Software Management
Licensing, RBAC, SAM, standardisation
0
answered
Software Asset Management
S01Is a centralised software asset inventory maintained (applications, license types, versions, renewals)?High
S02Are all installed applications properly licensed? Are there unlicensed/pirated installations?High
S03Are all systems using genuine, licensed Operating Systems?Critical
S04Are records of license keys, purchase invoices, and renewal dates maintained?High
S05Are license renewals proactively managed with reminders and ownership?High
S06Are software versions and release dates tracked for all applications?High
Access Control
S07Is Role-Based Access Control (RBAC) implemented for all business applications?High
S08Is software access based on least privilege?Critical
S09Is there a formal de-provisioning process? Are terminated users promptly removed?Critical
Standardisation & Compliance
S10Is OS deployment standardised across the organisation?High
S11Is the email client standardised company-wide?High
S12Are open-source software licenses monitored for compliance?Medium
S13Is unauthorised software installation prohibited and technically enforced?Critical
Critical & Custom Applications
S14What mission-critical applications are in use?Critical
S15Are mission-critical applications formally documented (user guides, version history)?Critical
S16Are custom-built applications documented and under version control?High
S17Are software dependencies (libraries, runtimes, APIs) listed and maintained?High
S18Are regular application audits or code reviews conducted?High
S19Are development and test environments separated from production?High
Endpoint Security Software
S20List all antivirus/EDR solutions active and installed.Critical
S21Are antivirus/EDR solutions centrally managed with real-time alerts?Critical
S22Are security patches applied to applications promptly?Critical
Remote Access & Additional Software
S23Are remote access tools (AnyDesk, TeamViewer) governed or restricted?Critical
S24List all 'Other' software critical to your business not captured above.High
S25Who manages and supports Software used in the company?High
Section 07
Data Management
Storage, classification, DLP, lifecycle
0
answered
Data Storage & Inventory
DM01Where is company data primarily stored?Critical
DM02What types of data does the company create, store, or process?Critical
DM03What storage systems are in use?High
DM04Where is company-owned data primarily stored (primary location)?High
Classification & Organisation
DM05Is data classified by sensitivity (Public, Internal, Confidential, Restricted)?Critical
DM06Are standardised file naming conventions and folder structures enforced?High
DM07Is data storage architecture documented (locations, access paths, backup procedures)?High
Access Control & Monitoring
DM08Is access to sensitive data logged and monitored?Critical
DM09Are access controls reviewed periodically?Critical
DM10Are changes to access rights logged and auditable?Critical
DLP & External Sharing
DM11Is a DLP solution deployed to prevent unauthorised data sharing?Critical
DM12Is data shared with third parties? Are NDAs signed? Are secure transfer methods used?Critical
DM13Are email attachments and external storage links (Drive, WhatsApp) controlled?High
DM14Are customer leads/campaign data stored securely with access controls?High
Lifecycle & Policy
DM15Is there a defined data lifecycle policy (creation, retention, archiving, disposal)?High
DM16Is there a formal data management policy implemented and communicated?Critical
DM17Are users trained on data handling and classification?High
Section 08
Backup & Disaster Recovery
Coverage, encryption, immutability, DR
0
answered
Backup Coverage
B01What data is currently being backed up? List all systems covered.Critical
B02What backup software or platform is being used?High
B03What is the backup frequency for critical systems?High
B04What types of data are included in backups? What is explicitly excluded?Critical
B05Where are backups stored?Critical
Security & Integrity
B06Are backups encrypted at rest and in transit?Critical
B07Are backup systems protected with MFA?Critical
B08Are immutable (WORM) backups configured for ransomware protection?Critical
B09Are cross-region or multi-availability-zone backups configured?High
B10Are SaaS applications (M365, Google Workspace, Salesforce) backed up separately?Critical
DR & Testing
B11Are restore and failover procedures tested periodically?Critical
B12Are automated DR mechanisms (failover, replication) configured?Critical
B13Is there a formal DR Plan integrated with a Business Continuity Plan?Critical
Governance
B14Is there a documented backup policy (frequency, retention, encryption, testing)?Critical
B15Is internal ownership of backup administration assigned?High
B16Who is responsible for data backup administration?High
Section 09
Security Governance
CISO, MFA, patching, EDR, SIEM, vulns
0
answered
Security Leadership
SEC01Is there a designated CISO, IT Security Officer, or equivalent?Critical
Authentication & Access
SEC02Is MFA/2FA enforced for all critical systems (email, VPN, ERP, admin consoles, cloud)?Critical
SEC03Are strong password policies enforced organisation-wide?Critical
SEC04Are role-based access controls (RBAC) implemented for all systems?Critical
SEC05Are inactive user accounts disabled or deleted promptly?Critical
SEC06Are audit logs maintained for all critical systems? Are access rights changes logged?Critical
Patch Management
SEC07Is there a defined patch management policy with specific timelines?Critical
SEC08Are OS and third-party applications patched regularly?Critical
SEC09Are security patches applied to applications promptly?Critical
Endpoint Protection
SEC10Are EDR solutions in place and actively updated on all endpoints?Critical
SEC11Are file-sharing and USB/external device usage controlled or monitored?High
Logging & Monitoring
SEC12Is there a SIEM or centralised logging/monitoring solution?Critical
SEC13Are audit logs maintained for data access and modification?Critical
Vulnerability Management
SEC14Are regular vulnerability scans conducted (internal and external)?High
SEC15Have external penetration tests been conducted?High
SEC16Are regular security audits conducted?High
Hardening & Change Control
SEC17Are system hardening guidelines applied to all devices, servers, and network equipment?High
SEC18Are default system passwords changed upon setup for all devices?Critical
SEC19Are changes to IT systems controlled and documented (change management)?High
Physical Security
SEC20Are surveillance systems (CCTV) in place and operational?High
SEC21Are physical security controls in place for the server room?High
SEC22Are hardware assets securely locked and tracked?High
Section 10
IT Policies
8 core IT policy documents, enforcement
0
answered
Instructions: For each policy confirm: (1) exists in writing, (2) communicated to all staff, (3) actively enforced, (4) reviewed at least annually.
Core IT Governance
P01Is there a formal IT policy implemented and communicated to all employees?Critical
P02Is there a documented Information Security Policy?Critical
P03Are IT compliance policies documented, approved, and communicated?Critical
Policy Status Check
P04Acceptable Use Policy (AUP) — IT resources, internet, email, social media.Critical
P05Are employees required to sign or acknowledge the AUP?High
P06Are consequences for policy violations clearly outlined?High
P07Access Control Policy — RBAC, least privilege, provisioning, de-provisioning.Critical
P08Password Management Policy — complexity, expiry, no reuse, password manager.Critical
P09Incident Response Policy — severity levels, escalation, containment, recovery.Critical
P10Backup & Disaster Recovery Policy — frequency, retention, encryption, testing.Critical
P11BYOD / Mobile Device Policy — personal device use, MDM, security controls.High
P12Are BYOD practices covered in the IT Policy?High
P13Data Management Policy — classification, retention, disposal, third-party sharing.Critical
Internet, Social Media & Software
P14Are rules defined for internet browsing, downloads, and streaming on company devices?High
P15Is personal email, personal cloud storage, and social media use addressed in policy?High
P16Is unauthorised software installation explicitly prohibited and technically enforced?Critical
Additional Policies
P17Software Management Policy — acquisition, licensing, installation, updates.High
P18Training & Awareness Policy — mandatory security training, phishing simulations.High
P19Monitoring & Audit Policy — IT monitoring, audit scope and frequency.High
P20Is there a change management policy for controlled IT system changes?High
P21Is there an employee onboarding/exit policy for IT assets and access?Critical
Section 11
Power Backup
UPS, generator, switchover, maintenance
0
answered
Primary Power & UPS
PW01What is the primary power source?High
PW02What backup power source is available?High
PW03Is the UPS deployed for all critical IT infrastructure (servers, network, CCTV, EPABX)?High
PW04What is the backup time provided by the UPS?High
PW05Is the UPS monitored for performance and alarms?High
PW06Are UPS batteries tested and replaced per lifecycle recommendations?High
Generator
PW07Is a backup generator installed?High
PW08What is the backup time provided by the Generator?High
PW09Is there automatic switchover between mains and generator? Has it been tested?Critical
Infrastructure & Maintenance
PW10Are power cables properly routed, labelled, and protected?High
PW11Are earthing/grounding systems tested regularly?High
PW12Are SLAs defined with power and maintenance vendors?High
PW13Is predictive maintenance implemented for UPS and generator?Medium
PW14Is there a designated Emergency Response Team (ERT) for power/IT outages?High
PW15Is power infrastructure documented (cabling diagram, battery logs, earthing records)?High
Section 12
User Awareness
Training, phishing, 2FA adoption, BYOD
0
answered
Security Training
U01Have employees received formal cybersecurity awareness training?Critical
U02Is there a formal security awareness and training program?Critical
U03Have phishing simulation exercises been conducted?High
Password & Authentication Practices
U04What proportion of users regularly change work account passwords?High
U05What is the current 2FA/MFA adoption rate?Critical
Data & Phishing Awareness
U06Do users know how to recognise and report phishing scams?High
U07Do users know how to protect sensitive data?High
U08How do users handle sensitive data (customer info, financial records)?High
Device & Behaviour
U09Have users downloaded/installed unauthorised software on company devices?High
U10Are personal devices (BYOD) used for work? Are they secured?High
U11Do users use public WiFi or unsecured networks for work?High
U12Are company mobile devices managed via MDM?High
U13Are corporate and personal mobile devices governed by an MDM/UEM policy?High
U14Who is responsible for managing and maintaining BYOD devices?High
User-Reported Issues
U15What are the most common IT issues reported by end users?High
U16Are reported IT issues analysed regularly for patterns and root causes?High
Section 13
Vendor Management
Contracts, SLAs, NDAs, vetting
0
answered
Vendor Inventory
V01List all IT vendors and service providers currently in use.High
V02Who is the primary outsourced vendor/person of contact for IT services?High
Contracts & SLAs
V03Is there a MSA, SLA, or formal contract with each vendor?High
V04Do contracts include scope, SLAs, NDA, data handling, and termination clauses?High
V05Are there clear exit or termination clauses in all vendor contracts?High
V06Is there an NDA/confidentiality agreement with all vendors handling company data?Critical
Vendor Vetting & Risk
V07Is there a process to vet vendors before engagement?High
V08Is there a lock-in risk due to vendor contracts or proprietary integrations?High
V09Are contingency plans or backup vendors identified for critical services?High
Performance & Offboarding
V10Is vendor performance regularly reviewed against SLAs?High
V11Is there a process to remove third-party access after contract termination?Critical
V12Are vendor-related risks assessed with mitigation plans?High
Section 14
Compliance
Regulatory, frameworks, governance
0
answered
Regulatory Requirements
C01Which IT-related laws and regulations apply to this organisation?High
C02Have formal IT compliance audits been performed previously?High
C03Are IT compliance audits performed regularly (internal and external)?High
C04Are IT compliance policies documented, approved, and communicated?High
Frameworks & Standards
C05Are security best practices/standards (CIS, NIST, ISO 27001) referenced in security design?High
Governance
C06Is there a designated IT Compliance Officer or team?High
C07Who is the designated IT Compliance Officer or team?High
C08Is IT governance reviewed by senior management periodically?High
C09Is there IT compliance documentation acknowledged by relevant staff?High
Section 15
IT Budgeting
IT budget, tracking, roadmap, ROI
0
answered
IT Budget
BG01Is there a formal, approved annual IT budget?Medium
BG02Does the budget cover hardware, software, maintenance, security, training, and contingency?Medium
BG03Is IT spending tracked against budget regularly?Medium
IT Strategy & Planning
BG04Is there a multi-year IT roadmap or strategy document?Medium
BG05Has a cost-benefit analysis or ROI assessment been done for major IT investments?Medium
BG06Are IT billing reports and costs reviewed monthly?Medium
Section 16
Social MediaNEW
Accounts, MFA, content governance, data
0
answered
Section 16 — Social Media (NEW): Captures all company social media accounts, admin access, security controls, content governance, and data practices.
Account Inventory
SM01List all official Social Media accounts of the company.Critical
SM02Are all Social Media accounts linked to official business email IDs (not personal emails)?Critical
Admin Access & Security
SM03Who currently has admin/owner access to each company Social Media account?Critical
SM04Is 2FA / MFA enabled for all company Social Media accounts?Critical
SM05Are former employees removed from Social Media admin access upon exit?Critical
Content & Brand
SM06Is there a company brand guideline document for Social Media content?High
SM07Is Social Media posting governed by an approval workflow?High
SM08Are Social Media accounts monitored for unauthorised posts or brand impersonation?High
Data & Campaigns
SM09Are customer leads and data from Social Media campaigns stored securely?High
SM10Is data collected via Social Media forms processed in compliance with privacy regulations?High
SM11Any additional Social Media-related information to share.Medium
Section 17
Cloud InfrastructureNEW
IaaS/PaaS/SaaS, access, costs, resilience
0
answered
Section 17 — Cloud Infrastructure (NEW): Covers cloud services (IaaS, PaaS, SaaS), access governance, cost optimisation, monitoring, and cloud-specific security.
Cloud Overview
CL01Does the organisation use cloud infrastructure?High
CL02Who manages the company's cloud infrastructure?High
CL03List all cloud services in use.High
CL04Are cloud services documented and categorised by type, purpose, and owner?High
Access Control & Security
CL05Are access controls and permissions for cloud resources reviewed regularly?Critical
CL06Is MFA enforced for all cloud platform logins (AWS, Azure, GCP, M365 Admin)?Critical
CL07Are RBAC controls applied to all cloud resources?Critical
CL08Are system hardening guidelines applied to cloud instances?High
Monitoring & Alerting
CL09Are monitoring tools used to track cloud resource performance and health?High
CL10Are alerts configured for resource changes, high usage, and suspicious activity?Critical
CL11Are audit logs enabled and retained for all cloud services?Critical
Cost Optimisation
CL12Are billing reports reviewed monthly? Is cost anomaly detection configured?High
CL13Are reserved/spot instances or savings plans used for cost optimisation?Medium
CL14What is the approximate monthly/annual cloud spend?Medium
Resilience & Backup
CL15Are auto-scaling and load balancing implemented for critical cloud services?High
CL16Are cross-region or multi-availability-zone backups configured?High
CL17Are development and test environments separated from production in the cloud?High
Governance & Compliance
CL18Is there a lock-in risk due to cloud provider contracts or proprietary formats?High
CL19Are data residency and sovereignty requirements considered?High
CL20Any additional cloud infrastructure information to share.Medium
Section 18
Summary & Report
Review completion, sign-off, export
0%
Questionnaire completion
0 of 0 questions answered
0
Gaps (No)
0
Answered
0
Controls ✓
Auditor Observations & Findings