Hack & See
Prefer French? Use French

IT & Cybersecurity Maturity Assessment

A confidential assessment aligned with NIST CSF, CIS Controls, ISO 27001/NIS2-style governance, and MITRE ATT&CK-inspired detection logic.

Please do not include passwords, secrets, IP addresses, architecture diagrams, or confidential technical details.

Lead information

Governance

1. Your organization has a clearly assigned owner for IT and cybersecurity risks.

Reference: NIST CSF Govern / ISO 27001 / NIS2

2. Cybersecurity risks are reviewed with management at least quarterly.

Reference: NIST CSF Govern / ISO 27001

3. You maintain basic security policies or procedures for users, administrators, and service providers.

Reference: NIS2 / ISO 27001

4. Third-party providers with IT access are reviewed before and during the relationship.

Reference: NIS2 / ISO 27001 supplier risk

Asset & Risk Visibility

5. You maintain an inventory of critical systems, servers, cloud services, endpoints, and business applications.

Reference: NIST CSF Identify / CIS Control 1

6. You know which systems are exposed to the Internet and regularly review public exposure.

Reference: NIST CSF Identify / CIS Control 2

7. Critical business data is identified and classified by sensitivity or business impact.

Reference: NIST CSF Identify

8. Vulnerabilities and missing patches are tracked and prioritized.

Reference: NIST CSF Identify / CIS Control 7

Access Protection

9. Multi-factor authentication is enforced for administrators and remote access.

Reference: NIST CSF Protect / CIS Control 5-6

10. User access rights are reviewed regularly and removed when no longer needed.

Reference: NIST CSF Protect / CIS Control 6

11. Administrator accounts are separated from normal user accounts.

Reference: Zero Trust / CIS Control 6

12. Networks, servers, or applications are segmented to limit lateral movement.

Reference: NIST CSF Protect / CIS Control 12

13. Sensitive data is protected with encryption, access control, and secure sharing practices.

Reference: NIST CSF Protect / CIS Control 3

Detection & Monitoring

14. Security logs are centralized for important systems such as servers, firewalls, VPNs, cloud services, or applications.

Reference: NIST CSF Detect / CIS Control 8

15. You can detect suspicious authentication activity such as brute force, impossible travel, or unusual admin access.

Reference: MITRE ATT&CK-inspired detection / NIST Detect

16. Important configuration changes are monitored, for example firewall rules, admin rights, or critical application settings.

Reference: NIST Detect / CIS Control 8

17. Your team can detect malware activity, suspicious file uploads, endpoint alerts, or abnormal data movement.

Reference: MITRE ATT&CK-inspired detection

Incident Response

18. There is a documented incident response procedure with roles and escalation contacts.

Reference: NIST CSF Respond / ISO 27001

19. Security alerts are triaged and assigned to someone for follow-up.

Reference: NIST CSF Respond

20. The organization can preserve evidence and document actions during an incident.

Reference: NIST CSF Respond / NIS2

21. Incident response exercises or tabletop simulations are performed at least annually.

Reference: NIST CSF Respond

Resilience & Recovery

22. Critical systems and data are backed up regularly.

Reference: NIST CSF Recover / CIS Control 11

23. Backups are tested through restoration exercises.

Reference: NIST CSF Recover / CIS Control 11

24. Some backups are protected from ransomware, for example offline, immutable, or access-restricted backups.

Reference: Ransomware resilience / NIST Recover

25. There is a basic recovery plan for major outage, ransomware, or loss of a critical IT service.

Reference: NIST Recover / Business continuity

Final details