Risk Profile Questionnaire
Menu ▼
🏠
Home
📋
Risk Assessment
📊
Risk Profile
📑
Control Inventory
Complete applicable sections. Select
Yes
,
No
, or
Unsure
. Provide context where appropriate.
Organization
Date
Company Name
Primary Contact
Email Address
Job Title
1. Regulatory & Compliance Context
1.1 We handle data subject to HIPAA, PCI-DSS, GDPR, or CCPA.
1.2 Customers/partners require certifications or attestations.
List certifications line by line (e.g., SOC 2 Type II, ISO 27001, PCI SAQ A).
1.3 We have documented legal/regulatory/contractual obligations.
2. Identity & Access Management
2.1 Each employee has a unique account; no shared logins.
2.2 MFA is enforced for admin, VPN, and email accounts.
2.3 Accounts are disabled immediately upon departure.
2.4 Password/access policies are documented and enforced.
3. Data Protection
3.1 Backups are performed regularly and stored securely.
3.2 Backup recovery testing is performed periodically.
Most recent backup test date
3.3 Sensitive data is encrypted at rest and in transit.
3.4 Data retention & disposal policies are defined and followed.
4. Endpoint & Network Security
4.1 All devices are managed via endpoint management (MDM/Intune).
4.2 Antivirus/EDR is installed and monitored on all systems.
4.3 Operating systems and software are patched regularly.
4.4 Firewall and VPN are in place for remote access.
5. Monitoring & Incident Response
5.1 Logs are collected and reviewed from key systems.
5.2 An incident response plan is documented and periodically tested.
Last incident response test date
5.3 Employee Name
Job Title
5.4 Security incidents within the last year have been documented and analyzed.
6. Vendor & Third-Party Risk
6.1 A list of key third-party vendors is maintained.
6.2 Vendors with data/system access are reviewed periodically.
6.3 Vendor contracts include security requirements.
7. Physical & Environmental Security
7.1 Access to offices/secure areas is restricted and monitored.
7.2 Visitor badges and logs are used for tracking access.
7.3 Sensitive paper documents are secured and shredded when disposed.
8. Asset & Change Management
8.1 An up-to-date inventory of hardware/software/cloud assets exists.
8.2 Changes to critical systems require approval or review.
8.3 Configuration changes are documented and version controlled.
9. Policies, Awareness & Training
9.1 Written IT/security policies exist and are accessible.
9.2 Employees receive annual security awareness training.
9.3 Phishing simulations or similar exercises are performed.
10. Business Continuity
10.1 A documented BCP/DR plan exists.
10.2 The plan is tested at least annually.
Last BCP/DR test date
10.3 Maximum tolerable downtime (RTO/RPO) is defined and reviewed.
11. Privacy & Data Handling
11.1 There is a process for responding to data access/deletion requests.
11.2 Personal data is stored only as long as necessary.
11.3 Privacy obligations are communicated to staff handling personal data.
12. Final Notes & Submission
12.1 Additional comments, risks, or context.
Clear
Export
Save
Submit & Email
Export Options
×
Choose an export format:
📊
Export CSV
Spreadsheet format
📄
Export JSON
Data format
🖨️
Print / Save as PDF
Printable document