Your carrier is going to ask about these 20 security controls. Walk through the list, see what you have in place, and find out where the gaps are before renewal day arrives.
Enter your details below and the interactive checklist appears right here. No PDF, no waiting. Just check items off in your browser and print when you're done.
We respect your privacy. Your information is used only to follow up on your interest.
MFA is the #1 control carriers ask about. Required for email, VPN, remote access, and admin portals.
Admin accounts need MFA separately enforced. Carriers specifically ask about privileged access protection.
Minimum length, complexity requirements, and lockout thresholds configured and enforced via policy.
Admin credentials vaulted, access logged, and privileges granted on least-privilege basis. No shared admin passwords.
Traditional antivirus is no longer sufficient. Carriers expect EDR with behavioral detection on every endpoint.
Unpatched systems are the #1 ransomware entry point. Carriers ask about patch management cadence.
Browsers, Java, Adobe, and other applications patched regularly. Often overlooked but frequently exploited.
BitLocker (Windows) or FileVault (Mac) enabled on all laptops and workstations. Required for data-at-rest protection.
Backups stored separately from production environment. Ransomware-resistant (immutable or air-gapped).
Untested backups are not backups. Carriers ask whether you've performed a test restore recently.
Microsoft's native retention is not a backup. Mailbox, OneDrive, and SharePoint should be backed up independently.
24x7 monitoring of security events with alerting and response. Increasingly required by carriers.
Internal and external scans on a recurring schedule. Results reviewed and critical findings remediated.
Blocks access to known malicious domains, phishing sites, and command-and-control infrastructure.
Written plan with roles, contact info, escalation procedures, and communication templates. Carriers ask for this specifically.
Annual training covering phishing, social engineering, and security best practices. Phishing simulations preferred.
Advanced anti-phishing, anti-spoofing (DMARC/DKIM/SPF), and attachment sandboxing beyond native M365 filtering.
A formal security assessment or audit by an independent party. Increasingly required for coverage.
Documented policies covering acceptable use, access control, data handling, and incident response.
This checklist covers the questions your carrier will ask. But checking a box isn't the same as knowing for certain. A full security baseline digs into hundreds of individual controls across your workstations, servers, and cloud environment, giving you an honest picture of your posture, detailed findings, and a clear plan for what to fix first.
Let's TalkThis checklist covers the basics. A full security baseline goes deeper, scanning your environment against hundreds of controls so you know exactly where you stand, what to fix first, and how to prove it when it matters.
Let's Talk