Data Protection

Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, add the date of your last review to the notes.

Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Confirm the role and its responsibilities in the notes or upload a job role description as evidence.

Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Upload the Information Security Policy as evidence.

Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Upload the Mobile Device Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Provide the Remote Working Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Upload the Acceptable Use Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Upload the Information Classification Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Upload the Access Control Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Upload the Cloud Services Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Upload the Password Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes. Also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.

Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Upload the Backup Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Upload the Clear Desk and Screen Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.

Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.

Answer yes if your organisation subjects the use of removable media to compensatory controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, state the nature of these controls within the notes.

Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).

Answer yes if all of your organisation's security policies are reviewed and approved by senior management.

Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Upload the documented roles as evidence.

Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).

Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).

Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Provide information on the frequency of the audits in the notes.

Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.

Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Upload a template NDA or confidentiality agreement as evidence.

Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.

Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.

Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, describe how you collect, analyse and use threat intelligence within your organisation, or upload a document as supporting evidence.

Answer yes if your organisation is compliant with the PCI DSS security standard. If you have answered no, please state whether or not you process, store or transmit payment card data. If you have certified against the standard, please provide your certificate.

Answer yes if you have a defined process for monitoring the PCI DSS compliance status of any relevant TPSPs. For applicable TPSPs, provide their AoC.

Answer yes if background checks are conducted against staff before they join your organisation. In the notes section, please outline the types of checks (e.g. employer reference, criminal records, BPSS, CTC, SC, DV) conducted for which roles or provide a supporting document (as a PDF file) as evidence.

Answer yes if your organisation has a formal disciplinary process that is followed if an employee is found to have intentionally breached company policy. Please provide a document outlining the process (as a PDF file) as evidence (this may be covered by your organisation's Disciplinary Policy).

Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Describe how your secure configuration process is performed, including both automated and manual checks. Upload any relevant documentation as evidence.

Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.

Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Provide details of your current process. The Risk Ledger platform can make this easier for you - get in touch!

Answer yes if any client data is used to train your AI model, or external AI models used to provide supplier services. Describe which client data may be used to train AI models and how this is communicated to those clients.

Answer yes if your organisation has a formal change management process that includes a step to assess any security or legal compliance risks that the change may impact, requires a rollback plan, and includes processes for notifying relevant clients of the changes and any consequential processing differences. Change management can apply if either the AI model is updated, or the data applied to the model is changed (e.g. the model is applied to support new services processing different client data). Upload a copy of your AI change management process, or describe the process in the notes section.

Answer yes if your organisation evaluates the effects of changes of the underlying AI Model, whether that model is created and maintained by you or is adopted and applied from an external source (e.g. Amazon Bedrock AI as a Service). Change impacts can include changes in output accuracy or bias and the potential need to reprocess historic data for analysis consistency. Describe how you evaluate the effects of these changes or upload supporting documentation.

Please enter the most recent measurement for your scope 1 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 1 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Please enter the most recent measurement for your scope 2 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 2 emissions, please enter zero as your numerical answer and state this clearly in the notes section.

Please enter the most recent measurement for your scope 3 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 3 emissions, please enter zero as your numerical answer and state this clearly in the notes section.