Professional Documents
Culture Documents
CISOs Due Dilligence Review
CISOs Due Dilligence Review
PRABH NAIR
CISO BY DAY | MENTOR FOR LIFE
Area to Assess Key Questions Evidence Why It's
Required to
Review
Identity and Access What processes are IAM policies, access Ensures only
Management in place for control logs, MFA authorized
managing user implementation individuals have
identities and access details access to critical
controls? systems and data,
reducing the risk of
Are multi-factor insider threats and
authentication (MFA) unauthorized access.
and role-based
access control
(RBAC)
implemented?
Have they
experienced
significant security
incidents in the
Security Policies and What are the Security policy Ensures the
Procedures company's security documents, training company has a solid
policies and records, policy foundation of
procedures? enforcement logs security practices
that are followed by
How are these all employees,
policies enforced maintaining overall
and updated? security posture.
Are employees
regularly trained on
security practices?
How is system
patching and
updating managed?
Disaster Recovery - What are the BC/DR plans, test Ensures the
and Business company's disaster results, RTO/RPO company can quickly
Continuity (BC/DR) recovery (DR) and documentation recover from
business continuity disruptions,
(BC) plans? maintaining critical
business functions
How often are these and minimizing
plans tested? downtime.