30-Point Cyber Health Check for SMEs

Instructions: For each item, mark compliant or not. Use the comments column for notes or

remediation actions.

1. Governance & Policies

Cybersecurity policy exists and is up to date [ ]

Data protection/privacy policy is implemented [ ]

Incident response plan is documented and tested [ ]

Employee cyber awareness training is conducted regularly [ ]

Vendor/third-party risk assessments are in place [ ]

2. Identity & Access Management

Strong password policies enforced (length, complexity, expiry) [ ]

Multi-factor authentication (MFA) enabled on all accounts [ ]

Access rights reviewed periodically [ ]

Role-based access control implemented [ ]

Accounts of former employees are promptly deactivated [ ]

3. Network & Infrastructure Security

Firewalls configured and regularly monitored [ ]

Wi-Fi network secured (WPA3 recommended) [ ]

Network segmentation applied where appropriate [ ]

VPN used for remote access [ ]

Intrusion detection/prevention systems in place [ ]

4. Endpoint & Device Security

Anti-virus/anti-malware installed and updated [ ]

Device encryption enabled (laptops, mobiles) [ ]

Patch management process implemented and up to date [ ]

Mobile device management (MDM) in place [ ]

Endpoint backup and recovery procedures tested [ ]

5. Data Security & Backup

Critical data regularly backed up [ ]

Backups tested for restoration [ ]

Sensitive data classified and protected [ ]

Data retention and deletion policies followed [ ]

Cloud storage providers assessed for security [ ]

6. Monitoring & Incident Response

Security logs collected and monitored [ ]

Suspicious activity triggers alerts [ ]

Incident response plan includes communication protocol [ ]

Lessons from incidents documented and acted on [ ]

Regular cyber risk assessments performed [ ]