Ved å klikke på «Godta», godtar du lagring av informasjonskapsler på enheten din for å forbedre nettstednavigering, analysere nettstedsbruk og hjelpe til med markedsføringsarbeidet vårt. Se vår Personvernerklæring for mer informasjon.
NekterGodta
Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Domain
A
Security Governance
This domain covers how your security governance is designed, implemented, and maintained.
Security Risks
Domain
B
Security Certifications
This domain covers how your organisation maintains compliance with key security certifications.
Security Risks
Domain
C
HR Security
This domain covers the security controls you have implemented to mitigate security risk from your employees.
Security Risks
Domain
D
IT Operations
This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.
Security Risks
Domain
E
Software Development
This domain covers the security controls you have implemented during the development of your IT applications.
Security Risks
Domain
F
Network and Cloud Security
This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.
Security Risks
Domain
G
Physical Security
This domain covers the physical security controls you have implemented to protect your organisation's physical premises.
Security Risks
Domain
H
Business Resilience
This domain covers the processes and plans you have in place to ensure a quick recovery if a failure occurs.
Security Risks
Domain
I
Supply Chain Management
This domain covers the processes and controls you have in place to ensure the security risk from your supply chain is mitigated.
Security Risks
Domain
J
Data Protection
This domain covers compliance with data protection legislation.
Security Risks
Domain
K
Artificial Intelligence
This domain covers use of Artificial Intelligence (AI) in your organisation and what you have done to prevent, identify, and respond to evidence of risk.
Security Risks
Domain
XA
Financial Risk
Financial Controls to prevent, identify, and respond to evidence of financial crime are also included in Risk Ledger's Supplier Assessment Framework. This includes checks for compliance with relevant Anti-Money Laundering (AML) regulations, applicable Anti-Bribery and Corruption (AB&C) legislation, fraud prevention and sanctions.
Financial Risk
Domain
XB
Environmental, Social and Governance
This add-on domain covers how your organisation manages and governs its environmental and social impact.
Environmental, Social and Governance
Domain
XC
UK Government Data and Personnel Security
This add-on domain is specific to suppliers working with the UK government. Please reach out to support@riskledger.com if you need help with this domain.
UK Government Data and Personnel Security
Domain A Question
1
01) Does your organisation conduct an annual independent information security review and act upon the findings?
Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, add the date of your last review to the notes.
Domain A Question
2
02) Does your organisation have an appointed person responsible for information security, such as a CISO?
Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Confirm the role and its responsibilities in the notes or upload a job role description as evidence.
Domain A Question
3
03) Does your organisation have a documented Cybersecurity Policy or Information Security Policy?
Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Upload the Information Security Policy as evidence.
Domain A Question
4
04) Does your organisation have a formal policy on the use of mobile devices?
Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Upload the Mobile Device Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
5
05) Does your organisation have a formal policy for remote working that includes security?
Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Provide the Remote Working Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
6
06) Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?
Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Upload the Acceptable Use Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
7
07) Does your organisation have a documented Information Classification Policy?
Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Upload the Information Classification Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
8
08) Does your organisation have a documented Access Control Policy?
Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Upload the Access Control Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
9
09) Does your organisation have a policy governing the use of cloud services?
Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Upload the Cloud Services Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
10
10) Does your organisation have a Password Policy that is technically enforced throughout its IT estate?
Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Upload the Password Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes. Also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.
Domain A Question
11
11) Does your organisation have a documented Backup Policy?
Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Upload the Backup Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
12
12) Does your organisation enforce a Clear Desk and Screen Policy?
Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Upload the Clear Desk and Screen Policy as evidence or reference a section of a previously uploaded Information Security Policy in the notes.
Domain A Question
13
13) Does your organisation prevent the use of removable media, and is this enforced technically?
Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.
Domain A Question
14
14) If the use of removable media is not prohibited and enforced technically, is its use subject to other compensatory controls?
Answer yes if your organisation subjects the use of removable media to compensatory controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, state the nature of these controls within the notes.
Domain A Question
15
15) Are your organisation's information security policies accessible to all employees?
Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).
Domain A Question
16
16) Are your organisation's information security policies reviewed and approved by senior management at least annually?
Answer yes if all of your organisation's security policies are reviewed and approved by senior management.
Domain A Question
17
17) Has your organisation documented senior management roles and responsibilities for security within your organisation?
Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Upload the documented roles as evidence.
Domain A Question
18
18) Does your organisation include information security during the planning and delivery of projects?
Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).
Domain A Question
19
19) Does your organisation restrict employee access to business information based upon the principle of least privilege?
Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).
Domain A Question
20
20) Does your organisation have an internal audit function that ensures information security requirements are being met by the business?
Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Provide information on the frequency of the audits in the notes.
Domain A Question
21
21) Does your organisation conduct security risk assessments for your full IT estate at least annually?
Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.
Domain A Question
22
22) Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?
Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Upload a template NDA or confidentiality agreement as evidence.
Domain A Question
23
23) Does your organisation segregate duties to prevent unauthorised disclosure or access to information?
Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.
Domain A Question
24
24) Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?
Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Give an example of such segregation in the notes.
Domain A Question
25
25) Does your organisation use threat intelligence to inform decisions about information security?
Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, describe how you collect, analyse and use threat intelligence within your organisation, or upload a document as supporting evidence.
Domain B Question
5
05) Are you PCI DSS compliant?
Answer yes if your organisation is compliant with the PCI DSS security standard. If you have answered no, please state whether or not you process, store or transmit payment card data. If you have certified against the standard, please provide your certificate.
Domain B Question
7
7) Does your organisation have a defined process for managing and monitoring Third-Party Service Providers (TPSP) that provide services impacting your PCI DSS compliance?
Answer yes if you have a defined process for monitoring the PCI DSS compliance status of any relevant TPSPs. For applicable TPSPs, provide their AoC.
Domain B Question
8
8) Does your organisation have any other certifications or audit reports that cover information security (such as a SOC 2 report)?
Domain C Question
1
01) Does your organisation perform background checks on staff and contractors?
Answer yes if background checks are conducted against staff before they join your organisation. In the notes section, please outline the types of checks (e.g. employer reference, criminal records, BPSS, CTC, SC, DV) conducted for which roles or provide a supporting document (as a PDF file) as evidence.
Domain C Question
4
04) Is there a formal disciplinary process for employees who have breached company policy (including any breaches of company security policy)?
Answer yes if your organisation has a formal disciplinary process that is followed if an employee is found to have intentionally breached company policy. Please provide a document outlining the process (as a PDF file) as evidence (this may be covered by your organisation's Disciplinary Policy).
Domain D Question
16
16) Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment?
Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Describe how your secure configuration process is performed, including both automated and manual checks. Upload any relevant documentation as evidence.
Domain D Question
17
17) Do all systems (such as network devices) have their default credentials changed on installation or provision?
Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.
Domain E Question
13
13) Is your organisation able to demonstrate the composition and provenance of software it develops (including third-party and open-source components)?
Domain E Question
14
14) Does your organisation continuously monitor all software components for vulnerabilities?
Domain F Question
33
33) Is your organisation currently registered with the UK National Cyber Security Centre’s (NCSC) Early Warning service?
Domain I Question
6
06) Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?
Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Provide details of your current process. The Risk Ledger platform can make this easier for you - get in touch!
Domain K Question
13
13) Is client data and information (e.g. prompts) used to train AI models?
Answer yes if any client data is used to train your AI model, or external AI models used to provide supplier services. Describe which client data may be used to train AI models and how this is communicated to those clients.
Domain K Question
14
14) Does your organisation have a formal AI model change management process that gives consideration to information security and regulatory requirements and includes notification to relevant clients?"
Answer yes if your organisation has a formal change management process that includes a step to assess any security or legal compliance risks that the change may impact, requires a rollback plan, and includes processes for notifying relevant clients of the changes and any consequential processing differences. Change management can apply if either the AI model is updated, or the data applied to the model is changed (e.g. the model is applied to support new services processing different client data). Upload a copy of your AI change management process, or describe the process in the notes section.
Domain K Question
15
15) Does your organisation have processes in place to identify, triage and remediate the effects of AI model updates?"
Answer yes if your organisation evaluates the effects of changes of the underlying AI Model, whether that model is created and maintained by you or is adopted and applied from an external source (e.g. Amazon Bedrock AI as a Service). Change impacts can include changes in output accuracy or bias and the potential need to reprocess historic data for analysis consistency. Describe how you evaluate the effects of these changes or upload supporting documentation.
Domain L Question
7
07) What are your scope 1 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 1 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 1 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Domain L Question
8
08) What are your scope 2 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 2 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 2 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Domain L Question
9
09) What are your scope 3 emissions (tonnes of CO2 equivalent per year)?
Please enter the most recent measurement for your scope 3 emissions in tonnes of CO2 equivalent. Please state when this was last measured and provide further information on the scope and method of measurement, if applicable, in the notes section. If you do not measure scope 3 emissions, please enter zero as your numerical answer and state this clearly in the notes section.
Framework Domains

7) Does your organisation have a defined process for managing and monitoring Third-Party Service Providers (TPSP) that provide services impacting your PCI DSS compliance?

Answer yes if you have a defined process for monitoring the PCI DSS compliance status of any relevant TPSPs. For applicable TPSPs, provide their AoC.

Under PCI DSS Requirement 12.8, organisations must manage any third-party service providers (TPSPs) with whom cardholder data is shared or who could affect the security of that data. It is not enough for your organisation to be compliant; any third party you rely on that might access your Cardholder Data Environment (CDE), manage relevant systems on your behalf, or might otherwise impact the security of your CDE must have their PCI DSS compliance status monitored by you at least annually.

How to implement the control

First, create a comprehensive list of all TPSPs that interact with your cardholder data or manage systems within your environment. For each provider, you must:-Review the services provided: Determine exactly which of your PCI DSS requirements they influence.-Generate a Shared Responsibility Matrix: This document should clearly delineate which security roles are your responsibility and which are the TPSP's.-Collect Evidence: Obtain a current Attestation of Compliance (AOC) from each TPSP, or some other sufficient documentation if they have not undergone a PCI DSS assessment,  on an annual basis to verify their status.For detailed guidance and a template, refer to the Information Supplement: Third-Party Security Assurance from the PCI Security Standards Council’s website.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.

Bestill en demo
Support
Framework
Domains
B
7
© 2025 Risk Ledger Ltd
InformasjonskapslerPersonvernerklæringVilkår for brukSikkerhetsprofilVulnerability Disclosure Policy