Manual Attestations
Attest compliance for controls that require human verification. Attestations are saved automatically.
Organizational communication and data flows are mapped
The organization has identified and documented the types of information it processes, stores, and transmits, including sensitive data categories.
Resources are prioritized based on classification and business value
Assets (devices, software, data) are classified and prioritized based on their criticality to business operations.
Organizational cybersecurity policy is established and communicated
A cybersecurity policy exists that defines roles, responsibilities, and expected behavior. The policy is communicated to all employees and reviewed regularly.
Legal and regulatory requirements regarding cybersecurity are understood and managed
The organization identifies and manages its legal, regulatory, and contractual cybersecurity obligations (NIS2, GDPR, sector-specific regulations).
Governance and risk management processes address cybersecurity risks
A risk management strategy is developed and implemented that considers cybersecurity risks alongside other business risks.
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
The organization uses identified threats and vulnerabilities, along with likelihood and impact analysis, to determine and prioritize cybersecurity risks.
Physical access to assets is managed and protected
Physical access to IT equipment, server rooms, and network infrastructure is controlled through locks, badges, or other mechanisms.
Remote access is managed
Wireless access points are configured securely with strong encryption (WPA3/WPA2-Enterprise), hidden SSIDs where appropriate, and separate guest networks.
Network segmentation is implemented where appropriate
The network is segmented to isolate critical systems, guest access, and different trust levels. Lateral movement between segments is restricted.
Assets are formally managed throughout removal, transfers, and disposition
Procedures exist for securely disposing of hardware, media, and data. Data is wiped from devices before disposal or reassignment.
Cybersecurity is included in human resources practices
Background checks are performed for personnel with access to critical systems. Security responsibilities are included in employment agreements. Offboarding includes timely revocation of access.
Response plan is executed during or after an incident
An incident response plan exists and is activated when a cybersecurity incident is detected. The plan defines roles, communication procedures, and escalation paths.
Information is shared consistent with response plans
During incidents, relevant information is shared with employees, stakeholders, and external parties (CERT.be, authorities) as defined in the response plan.
Response plans incorporate lessons learned
After each incident (or at minimum annually), the organization reviews its response effectiveness and updates plans, procedures, and controls based on lessons learned.
Recovery plan is executed during or after a cybersecurity incident
A recovery plan exists that defines how to restore systems and data after a cybersecurity incident. The plan includes priorities, procedures, and communication requirements.