Are You Audit-Ready?
IT Security Self-Assessment Quiz for Small Businesses
Complete all 15 questions, tally your score, and discover your biggest security gaps — in under 10 minutes.
How it works: Check the answer that best describes your organization today — not where you plan to be. Be honest. The goal is a true picture, not a perfect score. Add up your points at the end using the Score Tally below.
Section A — Governance & Policy
Q1. Does your organization have a written Information Security Policy?
| Answer | Pts | |
|---|---|---|
| [ ] | No written policy exists. | 0 |
| [ ] | We have something informal or outdated (2+ years old). | 2 |
| [ ] | Yes — documented, reviewed in the last 12 months, and communicated to staff. | 4 |
Q2. Have you conducted a formal cybersecurity risk assessment in the past 12 months?
| Answer | Pts | |
|---|---|---|
| [ ] | No — we've never done one. | 0 |
| [ ] | Not recently, or it was informal / undocumented. | 2 |
| [ ] | Yes — documented assessment with identified risks and a remediation plan. | 4 |
Q3. Do you have cyber liability insurance that covers data breaches and ransomware?
| Answer | Pts | |
|---|---|---|
| [ ] | No. | 0 |
| [ ] | Unsure — it may be bundled in our general business policy. | 1 |
| [ ] | Yes — standalone cyber insurance with known coverage limits. | 4 |
Section B — Access & Authentication
Q4. Is multi-factor authentication (MFA) required for email, remote access, and key systems?
| Answer | Pts | |
|---|---|---|
| [ ] | MFA is not used anywhere. | 0 |
| [ ] | MFA is used in some places but not consistently enforced. | 2 |
| [ ] | MFA is required for all email, cloud, and remote access — no exceptions. | 4 |
Q5. When an employee leaves, how quickly is their access revoked?
| Answer | Pts | |
|---|---|---|
| [ ] | We don't have a formal process — it happens when someone remembers. | 0 |
| [ ] | Within a week or so — it's informal but usually gets done. | 2 |
| [ ] | Same-day — integrated with HR offboarding, verified and documented. | 4 |
Q6. Are administrator / privileged accounts separate from regular user accounts?
| Answer | Pts | |
|---|---|---|
| [ ] | No — admins use the same account for everything. | 0 |
| [ ] | Somewhat — it's inconsistent across systems. | 1 |
| [ ] | Yes — dedicated admin accounts used only for admin tasks, logged separately. | 4 |
Section C — Data Protection
Q7. Are your business and client data backups tested regularly?
| Answer | Pts | |
|---|---|---|
| [ ] | We have backups but have never tested restoring from them. | 0 |
| [ ] | Backups exist and we've tested them once or twice. | 2 |
| [ ] | Backups are automated, encrypted, off-site, and tested on a set schedule. | 4 |
Q8. Do you know where all your sensitive data (client PII, financial records, health data) lives?
| Answer | Pts | |
|---|---|---|
| [ ] | No — it's scattered across emails, drives, and systems. | 0 |
| [ ] | Somewhat — we have a general idea but no formal inventory. | 2 |
| [ ] | Yes — documented data inventory with classification and access controls. | 4 |
Q9. Are company laptops and mobile devices encrypted?
| Answer | Pts | |
|---|---|---|
| [ ] | No — no encryption on endpoints. | 0 |
| [ ] | Some are but we're not sure about all of them. | 2 |
| [ ] | Yes — full disk encryption enforced on all company devices with verification. | 4 |
Section D — Incident Response & Monitoring
Q10. Do you have a documented Incident Response Plan?
| Answer | Pts | |
|---|---|---|
| [ ] | No — we would figure it out if something happened. | 0 |
| [ ] | Informally — key contacts and rough steps are known but not written down. | 1 |
| [ ] | Yes — documented IRP with roles, escalation paths, and tested in the last year. | 4 |
Q11. Do you conduct phishing simulations or security awareness training?
| Answer | Pts | |
|---|---|---|
| [ ] | No training or simulations. | 0 |
| [ ] | One-time or annual training only — no simulations. | 2 |
| [ ] | Ongoing training + phishing simulations with tracked click rates and follow-up. | 4 |
Q12. Are system and network logs monitored for unusual activity?
| Answer | Pts | |
|---|---|---|
| [ ] | No monitoring in place. | 0 |
| [ ] | Basic logging exists but nobody actively reviews it. | 1 |
| [ ] | Active monitoring via SIEM, MDR service, or regular log reviews with alert thresholds. | 4 |
Section E — Vendor & Third-Party Risk
Q13. Do you assess the security practices of vendors who access your data or systems?
| Answer | Pts | |
|---|---|---|
| [ ] | No — we accept vendors' terms without security review. | 0 |
| [ ] | Informally — for major vendors we ask some questions. | 2 |
| [ ] | Formally — documented vendor risk assessments with security requirements in contracts. | 4 |
Q14. Do your vendor contracts include data security and breach notification requirements?
| Answer | Pts | |
|---|---|---|
| [ ] | No — standard vendor contracts with no security clauses. | 0 |
| [ ] | Some contracts include basic terms but it's inconsistent. | 2 |
| [ ] | Yes — all vendors with data access have signed BAAs, DPAs, or security addenda. | 4 |
Q15. Do you maintain an inventory of all the software and cloud services your business uses?
| Answer | Pts | |
|---|---|---|
| [ ] | No — we don't track this. | 0 |
| [ ] | Roughly — we have a general idea but no formal list. | 2 |
| [ ] | Yes — documented inventory of all software, SaaS tools, and cloud services used. | 4 |
Score Tally
Add up your points per section (Qs 1–3 = Section A, Qs 4–6 = B, Qs 7–9 = C, Qs 10–12 = D, Qs 13–15 = E). Max = 12 pts per section, 60 total.
| Section | Topic | Your Score | Max |
|---|---|---|---|
| Section A | Governance & Policy | _____ / | 12 |
| Section B | Access & Authentication | _____ / | 12 |
| Section C | Data Protection | _____ / | 12 |
| Section D | Incident Response & Monitoring | _____ / | 12 |
| Section E | Vendor & Third-Party Risk | _____ / | 12 |
| TOTAL | _____ / | 60 | |
What Your Score Means
| Score | Risk Level | What It Means |
|---|---|---|
| 0–19 | CRITICAL RISK | Significant gaps across multiple risk areas. Your business is highly vulnerable to cyber incidents, compliance violations, and operational disruptions. Immediate action required. |
| 20–34 | HIGH RISK | Several important controls are missing or informal. You have some foundations, but material gaps could expose you to data breaches, regulatory fines, or business disruption. |
| 35–44 | MODERATE RISK | Core controls are in place but inconsistently applied or undocumented. With targeted improvements you can significantly reduce your risk exposure and build client confidence. |
| 45–54 | DEVELOPING | Good foundations with some mature practices. You are ahead of most small businesses. Focus on formalizing and measuring what you have. |
| 55–60 | STRONG POSTURE | You have well-developed security and compliance practices. Continue investing in monitoring, testing, and staying current with evolving threats and regulations. |
Ready to Close Your Gaps?
IronRoot Risk Consultants helps small businesses identify, prioritize, and remediate security and compliance gaps — without the enterprise price tag.
Get a free 30-minute consultation:
chris@ironrootrisk.com |
ironrootrisk.com