Cybersecurity Checklist for Businesses

How to use this checklist

This checklist is organized into ten security domains. Each domain contains specific controls with implementation guidance and framework mappings. The domains are ordered by impact — addressing the first five domains eliminates the attack vectors responsible for the majority of breaches.

For each control, assess your current state:

• Implemented — the control is in place, documented, and operating effectively
• Partial — the control exists but is incomplete, inconsistent, or undocumented
• Not implemented — the control is absent
• Not applicable — the control does not apply to your environment

Track your status in a spreadsheet or GRC tool. Review quarterly. The goal is not a perfect score on day one — it is continuous, measurable improvement.

Identity and access control

Identity compromise is the initial attack vector in over 60% of breaches. These controls are the highest-leverage items on the checklist.

Multi-factor authentication (MFA)

• MFA is enforced on all user accounts, not just administrators
• MFA is enforced on all remote access (VPN, RDP, cloud consoles)
• MFA is enforced on email accounts (the primary target for account takeover)
• Phishing-resistant MFA (FIDO2/WebAuthn hardware keys) is deployed for privileged accounts
• SMS-based MFA is deprecated or restricted to low-risk accounts

Password policy

• Minimum password length is 14 characters or longer
• Password complexity rules (uppercase, special characters) are replaced by length requirements per NIST 800-63B guidance
• Known-compromised passwords are blocked (credential screening against breach databases)
• Password reuse across systems is prevented by policy and technical controls

Access management

• Access follows least privilege — users have only the permissions required for their role
• Access reviews are conducted quarterly for all systems and at least monthly for privileged accounts
• Offboarding procedures revoke all access within 24 hours of separation
• Shared accounts are eliminated or, where unavoidable, individually attributable through session recording
• Service accounts are inventoried, have owners assigned, and use non-interactive authentication

Privileged access management

• Administrative accounts are separate from daily-use accounts
• Privileged credentials are stored in an encrypted vault, not in spreadsheets or documents
• Just-in-time access is implemented for high-risk systems (privileges are granted temporarily and automatically revoked)
• Privileged session activity is logged and auditable

See the full guide on identity and access management.

Endpoint security

Every laptop, workstation, server, and mobile device is a potential entry point. Endpoint controls reduce the blast radius of compromise.

Endpoint protection

• EDR (Endpoint Detection and Response) is deployed on all endpoints — workstations, laptops, and servers
• EDR is configured for automated containment (isolating compromised endpoints from the network)
• Personal devices accessing corporate data meet minimum security requirements (encryption, screen lock, current OS)
• USB and removable media access is restricted by policy and enforced by technical controls

Patch management

• Critical and high-severity patches are deployed within 14 days of release (7 days for actively exploited vulnerabilities)
• A patch management process covers operating systems, applications, firmware, and third-party libraries
• Patch compliance is tracked and reported as a cybersecurity KPI
• Exception management process exists for systems that cannot be patched immediately (documented risk acceptance, compensating controls)

Device encryption

• Full-disk encryption is enabled on all laptops and workstations (BitLocker, FileVault)
• Encryption keys are managed centrally and recoverable by IT in the event of hardware failure
• Mobile devices accessing corporate data enforce encryption at rest

Asset inventory

• A complete, current inventory of all hardware assets exists (servers, workstations, laptops, network devices, mobile devices, IoT)
• A complete inventory of all software applications exists, including versions and license status
• Shadow IT discovery is conducted periodically to identify unauthorized devices and applications on the network
• Assets are classified by criticality and assigned owners

Network security

Network controls prevent lateral movement and contain breaches to isolated segments.

Firewall and perimeter

• Next-generation firewalls are deployed at all network boundaries with default-deny egress rules
• Firewall rules are reviewed quarterly and unused rules are removed
• Remote access requires VPN or zero-trust network access (ZTNA) with MFA
• DNS filtering blocks known malicious domains

Network segmentation

• Critical systems (databases, domain controllers, payment processing) are on isolated network segments
• Guest and IoT networks are separated from corporate and production networks
• Segmentation rules are enforced by network controls, not just VLANs (which can be bypassed)
• East-west traffic (internal-to-internal) is monitored, not just north-south (external-to-internal)

Wireless security

• Corporate Wi-Fi uses WPA3 or WPA2-Enterprise with certificate-based authentication
• Guest Wi-Fi is isolated from the corporate network with bandwidth controls
• Rogue access point detection is enabled

See zero trust architecture for the network model that eliminates implicit trust.

Data protection

Data is the ultimate target of most attacks. These controls protect data throughout its lifecycle.

Data classification

• A data classification policy exists with defined levels (Public, Internal, Confidential, Restricted)
• All data repositories are classified and labeled
• Classification drives control requirements — restricted data requires encryption, access logging, and retention controls

Encryption

• Data at rest is encrypted in all databases, file stores, and backups (AES-256 or equivalent)
• Data in transit is encrypted using TLS 1.2 or higher for all internal and external communications
• Encryption keys are managed through a dedicated key management system, rotated on schedule, and access-controlled

Backup and recovery

• Backups follow the 3-2-1 rule: three copies, two media types, one offsite or immutable cloud copy
• Backup restoration is tested quarterly — a backup that has never been restored is not a backup
• Backup integrity monitoring detects corruption or unauthorized modification
• Recovery time objective (RTO) and recovery point objective (RPO) are defined for all critical systems
• At least one backup copy is immutable (cannot be deleted or modified by ransomware)

Data loss prevention

• DLP controls monitor and prevent unauthorized transmission of sensitive data via email, web upload, and removable media
• Cloud DLP is configured for SaaS applications (email, file sharing, collaboration tools)

See data protection strategy and data security compliance for comprehensive guidance.

Cloud security

Cloud environments introduce shared responsibility. These controls cover the customer’s side of that model.

Cloud configuration

• Cloud security posture management (CSPM) is deployed to detect misconfigurations continuously
• Default credentials and configurations are changed before any cloud resource is production-deployed
• Public access to cloud storage (S3 buckets, Azure Blob containers, GCS buckets) is blocked by default and exceptions are documented and approved
• Infrastructure as Code (IaC) templates are scanned for security misconfigurations before deployment

Cloud identity

• Cloud IAM follows least privilege with role-based access control (RBAC)
• Root/owner accounts have MFA enabled and are used only for break-glass scenarios
• Cloud API keys and access tokens are rotated on schedule and never committed to source code

Cloud monitoring

• Cloud audit logs (CloudTrail, Azure Activity Log, GCP Audit Logs) are enabled, centralized, and retained for at least 12 months
• Alerts are configured for high-risk events: root account usage, security group changes, IAM policy modifications, resource creation in unexpected regions

See cloud security risk assessment, cloud security architecture, best CSPM tools, and cloud workload protection.

Email security

Email is the delivery mechanism for the majority of initial compromise attempts.

Email authentication

• SPF, DKIM, and DMARC records are configured with DMARC policy set to reject (p=reject)
• DMARC aggregate reports are monitored to detect unauthorized use of the domain

Email filtering

• Advanced email security (beyond basic spam filtering) scans inbound email for phishing, malware, and business email compromise (BEC) indicators
• URL rewriting and time-of-click scanning are enabled to catch delayed-detonation phishing links
• Attachment sandboxing detonates suspicious files in an isolated environment before delivery
• External email banners are displayed on messages originating from outside the organization

Vulnerability management

Finding and fixing vulnerabilities before attackers exploit them is the operational core of a security program.

Scanning and assessment

• Automated vulnerability scanning runs at least monthly against all internal and external-facing systems
• Web application vulnerability scanning covers all public-facing applications
• Scan results are triaged by risk (CVSS score, exploitability, asset criticality, business context)
• Vulnerability trends are tracked as cybersecurity KPIs

Remediation

• Critical vulnerabilities with known exploits are remediated within 7 days
• High-severity vulnerabilities are remediated within 30 days
• Vulnerabilities that cannot be remediated within SLA have documented risk acceptance with compensating controls
• Remediation is verified by re-scanning after patch deployment

Penetration testing

• External penetration testing is conducted at least annually by a qualified third party
• Internal penetration testing or red team exercises are conducted annually
• Penetration test findings are tracked through remediation to closure

See vulnerability management lifecycle and risk-based vulnerability management.

Incident response

When a breach occurs, the speed and effectiveness of response determines the difference between a contained incident and a catastrophic failure.

Planning

• A written incident response plan exists, is reviewed annually, and is approved by executive leadership
• The plan defines roles, responsibilities, escalation procedures, and communication protocols
• Contact lists are current: internal response team, legal counsel, forensics provider, insurance carrier, law enforcement liaison, PR/communications
• Evidence preservation procedures are documented (chain of custody, forensic imaging)

Testing

• Tabletop exercises are conducted at least annually with executive participation
• Technical incident response drills test detection, containment, and recovery procedures
• Lessons learned from exercises and real incidents are incorporated into plan updates

Detection and monitoring

• Security monitoring operates continuously (24/7 via internal SOC or managed detection and response provider)
• Log sources are centralized in a SIEM with correlation rules tuned to the threat landscape
• Alert triage procedures ensure high-fidelity alerts are investigated within defined SLAs

See security incident management and incident response plan template.

Third-party and supply chain risk

Your security is only as strong as your weakest vendor. Third-party risk management controls extend your security boundary.

Vendor assessment

• All vendors with access to sensitive data or critical systems complete a security assessment before onboarding
• Vendor security assessments are repeated annually or upon material changes
• Vendor contracts include security requirements, breach notification obligations, and right-to-audit clauses
• A vendor inventory exists with risk tiers (critical, high, medium, low) based on data access and system connectivity

Supply chain controls

• Software supply chain security includes software composition analysis (SCA) to identify vulnerable dependencies
• Third-party integrations are reviewed for API security, authentication mechanisms, and data handling
• Vendor access to production systems is time-limited, logged, and monitored

See third-party vendor risk assessment and supply chain security.

Compliance and governance

Compliance provides the audit trail. Governance ensures the security program is aligned with business objectives and accountable to leadership.

Policy framework

• An information security policy is published, reviewed annually, and acknowledged by all employees
• Supporting policies cover acceptable use, data classification, access control, incident response, and remote work
• Policies are enforced — violations have defined consequences

Risk management

• Formal risk assessments are conducted annually and after material changes
• A risk register is maintained with identified risks, owners, treatment plans, and acceptance decisions
• Risk appetite is defined by executive leadership and communicated to the security team
• Cyber risk quantification translates risk into financial terms for board reporting

Audit readiness

• Evidence of control operation is collected continuously, not assembled before audit season
• Control exceptions are documented with risk acceptance and compensating controls
• Cybersecurity audit findings are tracked through remediation

Security awareness training

• All employees complete security awareness training at onboarding and annually thereafter
• Phishing simulation exercises are conducted at least quarterly with results tracked per department
• Role-specific training is provided for developers (secure coding), administrators (hardening), and executives (BEC awareness)
• Training completion rates and phishing simulation results are reported as cybersecurity KPIs

See cybersecurity governance, GRC overview, and cybersecurity maturity assessment.

Framework mapping

Each domain in this checklist maps to controls in the major compliance frameworks. Use this mapping to identify which checklist items satisfy your compliance requirements.