CISO REVIEW

Due Diligence List

MERGER & ACQUISTION

PRABH NAIR
CISO BY DAY | MENTOR FOR LIFE
Area to Assess Key Questions Evidence Why It's
Required to
Review

Regulatory Is the company Compliance reports, Ensures the

Compliance compliant with audit results, company meets legal
Indian regulatory regulatory requirements and
requirements (e.g., certificates avoids potential
RBI guidelines, Data fines or sanctions.
Privacy Laws)?

Are there any

pending compliance
issues or violations?

Data Security How is sensitive Data encryption Protects sensitive

financial and policies, breach information from
customer data history reports unauthorized access
protected? and ensures data
integrity and
What data confidentiality.
encryption methods
are used for data at
rest and in transit?

Are there any data

breaches in the
company's history?

Identity and Access What processes are IAM policies, access Ensures only
Management in place for control logs, MFA authorized
managing user implementation individuals have
identities and access details access to critical
controls? systems and data,
reducing the risk of
Are multi-factor insider threats and
authentication (MFA) unauthorized access.
and role-based
access control
(RBAC)
implemented?

Incident Response What is the Incident response Ensures the

company's incident plan, incident company can
effectively manage
 response plan? reports, response and mitigate the
time metrics impact of security
How quickly can incidents, reducing
they detect and downtime and
respond to security potential damage.
incidents?

Have they
experienced
significant security
incidents in the

Risk Management How does the Risk assessment Ensures the

company identify, reports, risk register, company proactively
assess, and mitigate risk management identifies and
security risks? framework addresses potential
security risks,
Is there a risk reducing the
management likelihood and
framework in place? impact of security
Are risk assessments incidents.
conducted regularly?

Third-Party Risk How are third-party Third-party risk Ensures third-party

Management vendors assessed assessments, vendor vendors meet
and managed from a contracts, security security standards,
security reviews reducing the risk of
perspective? supply chain attacks
and data breaches
Are there any third- through external
party dependencies partners.
that pose significant
security risks?

Security Policies and What are the Security policy Ensures the
Procedures company's security documents, training company has a solid
policies and records, policy foundation of
procedures? enforcement logs security practices
that are followed by
How are these all employees,
policies enforced maintaining overall
and updated? security posture.

Are employees
regularly trained on
security practices?

Technology What technologies Technology Ensures the

Infrastructure and systems are in inventory, system technology
use? patch records, infrastructure is up-
update policies to-date and secure,
Are there any reducing the risk of
outdated or vulnerabilities being
unsupported exploited due to
systems that pose outdated systems.
security risks?

How is system
patching and
updating managed?

Disaster Recovery - What are the BC/DR plans, test Ensures the
and Business company's disaster results, RTO/RPO company can quickly
Continuity (BC/DR) recovery (DR) and documentation recover from
business continuity disruptions,
(BC) plans? maintaining critical
business functions
How often are these and minimizing
plans tested? downtime.

What is the RTO

(Recovery Time
Objective) and RPO
(Recovery Point
Objective)?

Financial Health What is the financial Financial Ensures the

stability of the statements, budget company has the
company in terms of reports, investment necessary financial
supporting ongoing records resources to sustain
security initiatives? and improve security
measures,
Are there any budget supporting long-
constraints affecting term security
security strategy and
investments? initiatives.