Check off the controls your business has in place. See your gaps instantly. Covers baseline security, HIPAA, PCI DSS, and SOC 2 — pick the framework that applies to you.
0%
Controls in place
Check off controls as you verify them
0 of 0 controls
Identity and Access
Controls that protect who can get in — the first line of defense against credential-based attacks.
Multi-factor authentication (MFA) enforced for all users Critical
All employees must use a second factor (authenticator app, not SMS) to log in to email and business applications.
Unique accounts for each employee — no shared logins
Every person has their own credentials. Shared accounts make attribution impossible and access revocation ineffective.
Company-managed password manager deployed
1Password, Bitwarden Teams, or equivalent. Browser password saves are not sufficient for business use.
Offboarding process: accounts disabled on employee last day
Same-day account disabling, device retrieval, and access revocation when an employee leaves.
Privileged admin accounts separate from daily-use accounts
IT admins have a dedicated admin account used only for admin tasks — not for email, browsing, or regular work.
Endpoint Protection
Controls that protect the devices your employees use every day.
EDR (Endpoint Detection and Response) on all company devices Critical
CrowdStrike, SentinelOne, Microsoft Defender for Business, or equivalent. Basic antivirus is insufficient against modern attacks.
Full-disk encryption enabled on all laptops and desktops
BitLocker (Windows) or FileVault (Mac) enabled and verified. A stolen laptop without encryption is an open data breach.
Automated patch management — OS and software updated within 14 days
Managed patching via RMM tool (Datto, NinjaRMM, etc.) or Intune. Most ransomware exploits known vulnerabilities with available patches.
Mobile Device Management (MDM) for company and BYOD devices accessing business data
Intune, Jamf, or equivalent. Ability to remotely wipe a lost or stolen device is table stakes.
Data and Backups
If everything else fails, your backups are your last line of defense against ransomware and data loss.
Daily automated backups of all critical data to offsite/cloud storage Critical
Backups stored separately from your primary systems — not just on the same server or local drive.
Backup restore tested within the past 6 months — with documented results
A backup that has never been tested is a backup you cannot rely on. Test restores to verify actual recoverability.
Primary data + local backup + cloud/offsite backup. Ransomware specifically targets connected backup drives.
Network and Email Security
Business-grade email filtering (not just built-in spam filter)
Microsoft Defender for Office 365, Proofpoint, Mimecast, or equivalent — blocks phishing and malicious attachments before delivery.
Business firewall (not consumer router) with active management
Fortinet, SonicWall, Cisco Meraki, or equivalent. Reviewed and updated at least annually by IT.
Guest WiFi network separated from internal business network
Visitors and personal devices on a separate SSID that cannot reach business systems or file shares.
Policies and Response
Written incident response plan — employees know who to call if something goes wrong
At minimum: a documented list of who to notify, what to do first, and who the IT escalation contact is.
Annual employee security awareness training
Including phishing recognition, password hygiene, and what to do when something looks suspicious.
All IT credentials documented and stored in a secure location accessible to the business owner
Firewall, domain registrar, Microsoft 365 admin, ISP account — everything the business needs to operate if the IT person is unavailable.
Who needs HIPAA compliance: Any business that creates, receives, maintains, or transmits Protected Health Information (PHI) — including healthcare providers, dental offices, mental health practices, medical billing companies, and their IT service providers.
Administrative Safeguards
Policies and procedures that govern how PHI is used and who can access it.
Designated HIPAA Security Officer HIPAA Required
A specific individual responsible for HIPAA security compliance — documented in writing.
Risk analysis completed and documented HIPAA Required
Formal written assessment of threats and vulnerabilities to PHI. Must be reviewed and updated periodically.
Business Associate Agreements (BAAs) signed with all IT and cloud vendors HIPAA Required
Any vendor who accesses, processes, or stores PHI must have a signed BAA — including your MSP, EHR vendor, and cloud storage provider.
HIPAA workforce training completed for all staff with PHI access
Annual training, documented and signed. Includes what PHI is, how to handle it, and breach reporting obligations.
Sanction policy for workforce members who violate HIPAA policies
Written policy with defined consequences for violations — must be enforced consistently.
Technical Safeguards
Technology controls that protect electronic PHI (ePHI) at rest and in transit.
ePHI encrypted at rest on all devices and servers HIPAA Required
All storage media containing ePHI must be encrypted. Unencrypted PHI on a lost device is a reportable breach.
ePHI encrypted in transit (TLS/SSL for all transmission)
No PHI transmitted over unencrypted channels. Email containing PHI must use secure messaging or encrypted email.
Automatic session timeout on systems that access ePHI
Systems must automatically log out inactive sessions to prevent unauthorized access to unattended workstations.
Audit logging enabled on all systems that access or store ePHI
Logs must record who accessed what ePHI and when. Logs retained for a minimum of 6 years.
Cloud services used for ePHI are HIPAA-eligible with signed BAAs
Consumer Gmail, Dropbox, and standard M365 plans are not HIPAA-eligible. Use business/enterprise tiers with BAAs signed.
Breach Response
Written breach notification procedure in place HIPAA Required
HIPAA requires notification to affected individuals within 60 days of breach discovery, and to HHS. Procedure must be documented.
Breach log maintained (even for small incidents)
All incidents involving ePHI must be documented, even if they don't trigger notification requirements.
Who needs PCI DSS: Any business that accepts, processes, stores, or transmits credit or debit card data — including retail, e-commerce, restaurants, and service businesses that take card payments.
Network Security
Cardholder data environment (CDE) network segmented from other systems PCI Required
Systems that process card data must be isolated on a separate network segment from general business systems.
Firewall configured to restrict inbound and outbound CDE traffic
Only necessary traffic flows in or out of the cardholder data environment. Rules documented and reviewed quarterly.
No vendor-supplied default passwords on any system components
All routers, switches, payment terminals, and servers must have default credentials changed before deployment.
Data Protection
Full card numbers (PANs) not stored after authorization PCI Required
If your system stores complete card numbers, CVVs, or magnetic stripe data post-authorization, this is a critical violation.
Cardholder data encrypted in transit using TLS 1.2 or higher
All transmission of card data must use strong encryption. TLS 1.0 and 1.1 are no longer acceptable under PCI DSS v4.0.
Payment terminals are PCI-listed and inspected for tampering
Terminals on the PCI SSC Approved PTS Devices list; staff trained to spot card skimmers and physical tampering.
Access and Monitoring
Access to cardholder data limited to business need-to-know
Least privilege: employees only have access to the card data their job requires — documented and enforced.
Audit logs maintained for all access to cardholder data systems
Logs must capture who accessed what, when. Retained for at least 12 months (3 months immediately available).
Most small businesses qualify for SAQ-A (card processing outsourced) or SAQ-B (terminals only). Submit to your acquiring bank.
Who needs SOC 2: SaaS companies, IT service providers, and any business that stores, processes, or transmits customer data on behalf of enterprise clients who require third-party audits. SOC 2 is not legally required, but increasingly demanded by enterprise procurement.
Security (Common Criteria — required for all SOC 2)
Formal written security policies in place and reviewed annually SOC 2 Required
Acceptable use, access control, incident response, change management, vendor management — must be documented, approved, and distributed.
Formal vendor risk management program SOC 2 Required
Third-party vendors assessed before onboarding and monitored regularly — especially those with access to customer data.
Logical access controls — provisioning/deprovisioning process documented
Formal process for granting and revoking access. New hire provisioning and offboarding tied to HR records.
Change management process — changes tracked, reviewed, and approved
All production system changes documented with approval chain. Emergency changes handled with post-hoc documentation.
Security monitoring and alerting on production systems
Centralized logging with alerting on anomalous events. SIEM or equivalent — not just logs that nobody reads.
Availability (if including Availability Trust Service Criterion)
Business continuity and disaster recovery plan documented and tested
RTO and RPO defined per service. Plan tested at least annually with results documented.
Uptime monitoring and incident communication process
Real-time monitoring of system availability with defined escalation and customer communication procedures for outages.
Confidentiality and Privacy
Customer data classified and handled per documented data classification policy
Data types (confidential, internal, public) defined with handling requirements for each level.
Data retention and destruction procedures defined and followed
Clear policy on how long customer data is retained and how it is securely destroyed at end of retention period.
Get a compliance gap analysis from a vetted MSP
Tell us where you are and what framework applies — we'll connect you with a local provider who specializes in exactly this.