IT Infrastructure & Networking
Hardware & Systems
Servers & Data Centers
Does your business rely on on-premise servers, cloud hosting, or a hybrid mix?




Have you calculated the 5-year total cost of ownership (TCO) for on-premise servers vs. cloud?




Is your server hardware under warranty/support or at risk of end-of-life failure?




Do you have a disaster recovery plan for server failures (e.g., backup servers/cloud failover)?




Are backups automated and tested quarterly for reliable recovery?




How many hours of dowtime per year would significantly impact revenue?




Do you have redundant power/cooling for critical servers?




Are your servers physically secure from theft/unauthorized access?




Have you evaluated colocation as an alternative to on-premise servers?




Is your IT team trained to maintain servers, or do you rely on external support?




Storage Solutions
Are critical files stored on risky devices (USB drives, personal laptops)?




Do you use enterprise-grade cloud storage (OneDrive/Google Drive/Dropbox Business)?




Is sensitive data (customer info, financials) encrypted at rest?




Are access controls in place to restrict file access by role/department?




Do you audit storage costs monthly to eliminate waste (e.g., unused cloud space)?




Are file retention policies enforced (e.g., auto-deleting old temp files)?




Have you mapped where regulated data (PCI, HIPAA) is stored?




Do employees accidentally store work files in personal cloud accounts?




Is version history enabled to recover from accidental deletions/corruption?




Are backups stored offline/offsite to protect against ransomware?




Virtualization & Efficiency
Are you using virtual machines (VMs) to reduce hardware costs?




Could server consolidation through virtualization cut costs by 30-50%?




Do employees waste >5 hours/week on manual tasks that could be automated?




Are software licenses optimized (e.g., shared vs. per-user licenses)?




Have you explored low-cost alternatives (LibreOffice vs. Microsoft 365)?




Do you track software usage to eliminate unused subscriptions?




Are energy-efficient hardware upgrades overdue (e.g., replacing old workstations)?




Is remote desktop/VPN available to reduce office hardware needs?




Have you assessed thin clients/Chromebooks for certain roles?




Does your IT roadmap include automation tools (e.g., RPA, scripts)?




Networking
Reliability & Security
Does your office Wi-Fi have frequent dropouts that disrupt work?




Is your internet bandwidth sufficient for simultaneous video calls and cloud apps?




Do you have a backup internet connection (e.g., 4G/5G hotspot) for outages?




Are guest Wi-Fi and internal networks fully isolated for security?




Have all default passwords on routers/firewalls been changed?




Is your network equipment (routers, switches) older than 5 years?




Are firmware updates for networking devices applied regularly?




Do you monitor for unauthorized devices connecting to your network?




Have you implemented enterprise-grade Wi-Fi (e.g., mesh networks for large offices)?




Are critical network services (DNS, DHCP) redundant to prevent single points of failure?




Do you experience bottlenecks during peak usage hours?




Are IoT devices (smart TVs, printers) on a separate network segment?




Have you tested network performance with all employees working remotely?




Is two-factor authentication required for accessing network admin controls?




Do you have visibility into bandwidth usage by department/application?




Remote Work & VPNs
Do all remote employees use a company-managed VPN for secure access?




Are personal devices allowed to connect to internal systems (BYOD policy)?




Have you tested the performance of business apps (e.g., ERP, CRM) over VPN?




Do employees print sensitive documents at home on unsecured printers?




Are video conferences (Zoom/Teams) consistently stable for all participants?




Is there a policy for securing home Wi-Fi networks used for work?




Can employees access all necessary tools remotely without performance issues?




Are remote access privileges revoked immediately when employees leave?




Do you use zero-trust network access (ZTNA) for additional security?




Have you simulated a complete office shutdown to test remote readiness?




Are VPN connections logged and monitored for suspicious activity?




Is there a clear policy about using public Wi-Fi for business purposes?




Do you provide secure alternatives to emailing sensitive files (e.g., encrypted portals)?




Are remote workers' devices required to have endpoint protection?




Have you benchmarked remote work performance against office productivity?




Costs & Scalability
Are you paying for more bandwidth than you actually use?




Would SD-WAN reduce your network costs compared to MPLS?




Are your phone systems (VoIP) integrated with other business tools?




Have you compared all-in-one platforms (e.g., Microsoft Teams) versus standalone tools?




Can your current network support 20-50% more users/devices without upgrades?




Have you negotiated with ISPs for better rates in the last 12 months?




Are you using network monitoring tools to identify cost-saving opportunities?




Would moving more services to the cloud reduce your networking costs?




Have you evaluated the ROI of upgrading to Wi-Fi 6/6E?




Is your network architecture designed for easy expansion (new locations, mergers)?




Cloud Computing
Adoption & Migration
What percentage of your critical business applications are cloud-based?




Have you identified which workloads are unsuitable for cloud migration?




Do employees receive regular training on cloud tools (e.g. Microsoft 365, Google Workspace)?




Are there legacy systems preventing full cloud adoption?




Have you tested how your business would operate during a cloud provider outage?




Do you have a documented cloud migration strategy?




Are departmental leaders involved in cloud adoption decisions?




Have you assessed the network bandwidth requirements for cloud migration?




Do you have a rollback plan if cloud migration fails?




Are your cloud vendors financially stable with good uptime track records?




Have you identified mission-critical applications that should remain on-premise?




Do you measure employee productivity changes after cloud transitions?




Are your cloud service level agreements (SLAs) aligned with business needs?




Have you evaluated the impact of cloud latency on customer-facing applications?




Do you have a phased migration plan to minimize disruption?




Security & Compliance
Is multi-factor authentication (MFA) enforced for all cloud accounts?




Are privileged cloud accounts protected with extra security measures?




Do you regularly audit who has access to sensitive cloud data?




Are third-party cloud apps reviewed for security risks before adoption?




Is sensitive business data ever stored in employees' personal cloud accounts?




Are you confident your cloud data meets all industry compliance requirements?




Do you encrypt sensitive data before uploading to the cloud?




Are cloud backups tested for recoverability?




Do you have visibility into where your cloud data is physically stored?




Are former employees' cloud access privileges promptly revoked?




Do you monitor for unauthorized sharing of cloud-stored files?




Are your cloud security settings configured by experts (not default settings)?




Do you conduct regular penetration tests on cloud environments?




Are cloud audit logs retained for an appropriate compliance period?




Have you established data ownership rights with your cloud providers?




Cost Optimization
Are you using reserved instances or savings plans where appropriate?




Do you have automated policies to shut down unused cloud resources?




Have you compared pricing across major cloud providers in the last year?




Are cloud storage lifecycle policies in place to archive or delete old data?




Do you receive and review detailed cloud cost allocation reports?




Are there departments or projects with unexpectedly high cloud costs?




Have you implemented cloud cost alerts for budget thresholds?




Are you taking advantage of all available cloud cost optimization tools?




Do you calculate ROI for cloud services versus on-premise alternatives?




Are cloud licensing costs optimized (e.g., pooled licenses where possible)?




Have you identified and eliminated orphaned cloud resources?




Do you use cloud cost forecasting to predict future expenses?




Are storage costs analyzed and optimized regularly?




Have you evaluated serverless options to reduce costs?




Do you negotiate contracts with cloud providers for better pricing?




Are you using the most cost-effective data transfer and CDN options?




Have you right-sized all cloud compute instances?




Do you leverage spot instances for non-critical workloads?




Are cloud expenses allocated correctly to departments/cost centers?




Do you have a cloud FinOps (Financial Operations) practice in place?




Business Continuity
Data Recovery & Backups
Is there a written backup policy approved by leadership?




Are RTO (Recovery Time Objective) and RPO (Recovery Point Objective) defined for all critical systems?




Is the 3-2-1 rule followed (3 copies, 2 media types, 1 offsite)?




Are backups automated (not manual)?




Are backup schedules aligned with business hours/peaks?




Is there a legal hold process for backups under litigation?




Are backup retention periods compliant with regulations?




Are test restores mandated in SLAs with backup vendors?




Is backup encryption enabled (at rest and in transit)?




Are backup logs retained for auditing?




Are BYOD devices included in backup policies?




Is versioning enabled to recover from corruption/ransomware?




Are cloud-native apps (e.g., SaaS) covered by backups?




Are physical backups (tapes, drives) stored in fireproof safes?




Is there a backup disposal policy for end-of-life data?




Are backups air-gapped (physically/network-isolated)?




Are immutable backups (unalterable for a set period) enabled?




Are backups stored in geographically dispersed locations?




Is multi-cloud redundancy used (e.g., AWS + Azure)?




Are on-premise and cloud backups combined for hybrid resilience?




Are backup media rotated to avoid degradation (e.g., tapes)?




Is WORM (Write Once, Read Many) storage used for compliance?




Are backup locations resistant to natural disasters (floods, earthquakes)?




Is data integrity verified via checksums/hashing?




Are backup costs optimized (e.g., cold storage for archives)?




Can you fully restore operations within RTO after ransomware?




Is there a priority list for restoring systems (e.g., CRM before HR)?




Can you recover individual files/emails without full-system restoration?




Are recovery scripts/playbooks documented (step-by-step)?




Have you tested cross-platform recovery (e.g., cloud-to-on-prem)?




Is bare-metal recovery possible for complete server failures?




Are recovery credentials (admin passwords, keys) securely stored?




Is DNS/failover routing tested for cloud recovery scenarios?




Are third-party dependencies (APIs, SaaS) accounted for in recovery?




Can you recover deleted/corrupted databases to a specific timestamp?




Is recovery performance (e.g., data transfer speeds) benchmarked?




Are alternate recovery sites (hot/warm/cold) identified?




Is staff trained to execute recovery under stress?




Are recovery SLAs enforced with vendors?




Is post-recovery validation (data consistency, functionality) mandatory?




Are backups protected from insider threats (access controls, logging)?




Is ransomware detection applied to backup repositories?




Are backup systems patched regularly?




Is MFA required for backup admin access?




Are backup networks segmented from production?




Are penetration tests performed on backup systems?




Is backup data masked/anonymized for privacy?




Are zero-day exploits monitored for backup software (e.g., Veeam, Rubrik)?




Is there a breach response plan for compromised backups?




Are backups excluded from automated deletion policies?




Incident Response Planning
Is there a written, organization-wide incident response plan (IRP)?




Is the IRP approved by executive leadership and legally reviewed?




When was the IRP last updated (recommended: annually or after major incidents)?




Is the IRP version-controlled with change logs?




Are regulatory requirements (e.g., GDPR, HIPAA) reflected in the IRP?




Is the plan accessible offline (e.g., printed copies, secure USB drives)?




Are third-party vendors included in the IRP (e.g., cloud providers, MSPs)?




Does the IRP cover all incident types (cyberattacks, natural disasters, insider threats)?




Are specific team members assigned to crisis management roles (e.g., CISO, IT lead, PR)?




Are backup personnel designated for critical roles?




Is there a clear chain of command for declaring incidents/disasters?




Are external stakeholders (legal, law enforcement, insurers) identified in the IRP?




Are department-specific playbooks (e.g., HR for insider threats, finance for fraud) included?




Are contractors/remote employees accounted for in response protocols?




Has the IRP been tested via tabletop exercises in the last 6 months?




Were gaps identified during testing addressed promptly?




Are employees trained annually on incident reporting procedures?




Have you simulated ransomware, DDoS, or data breach scenarios?




Is there a post-mortem process to document lessons learned?




Are executives included in drills to test decision-making under pressure?




Are pre-drafted templates ready for customer/employee/regulator notifications?




Is there a secure, alternative communication channel (e.g., encrypted chat) if email fails?




Are media/PR spokespeople pre-identified and trained?




Is whistleblower reporting (e.g., anonymous hotline) available for insider threats?




Are supply chain partners notified if their systems impact your incident?




Are critical systems prioritized for recovery (e.g., RTO/RPO defined)?




Is there a pre-approved emergency budget for incident containment/recovery?




Are emergency contact lists (vendors, team members) updated quarterly?




Are forensic tools/licenses (e.g., malware analysis) pre-provisioned?




Is evidence preservation (e.g., logs, chain of custody) documented for legal needs?




Knowledge & Access Security
Are all critical passwords stored in a secure password manager (e.g., Bitwarden, 1Password)?




Is multi-factor authentication (MFA) enforced for all privileged accounts?




Are passwords rotated periodically (e.g., every 90 days for admins)?




Are shared accounts avoided (or tightly controlled with auditing)?




Is there a break-glass procedure for emergency access?




Are SSH keys, API tokens, and certificates centrally managed?




Are default passwords changed on all systems/devices?




Is passwordless authentication (e.g., FIDO2) implemented where possible?




Are password policies aligned with NIST guidelines (e.g., no forced resets)?




Are session timeouts configured for inactive access?




Are failed login attempts locked after a threshold?




Is biometric authentication used for high-security systems?




Are privileged access credentials reviewed quarterly?




Are password managers audited for unauthorized access?




Is role-based access control (RBAC) enforced for credential retrieval?




Is there documentation for all critical systems (e.g., network diagrams, admin guides)?




Are emergency recovery procedures stored in an offline, secure location?




Are third-party vendor contacts (e.g., cloud support, MSPs) documented and accessible?




Is there a succession plan for IT leadership (e.g., shared access to key systems)?




Are system dependencies mapped (e.g., which apps rely on Active Directory)?




Are data flow diagrams maintained for compliance (e.g., GDPR, HIPAA)?




Is disaster recovery documentation tested annually?




Are IT staff cross-trained to prevent single points of failure?




Are backup administrators separate from primary sysadmins?




Is knowledge transfer mandated before employee departures?




Are automated backups of critical configurations (e.g., firewall rules) in place?




Are system ownership and stewardship roles clearly assigned?




Is documentation version-controlled (e.g., in a wiki with change logs)?




Are external auditors given limited, time-bound access to documentation?




Is there a centralized IT knowledge base (e.g., Confluence, Notion)?




Are privileged access workstations (PAWs) used for sensitive tasks?




Is just-in-time (JIT) access implemented for temporary admin rights?




Are single points of failure (e.g., one person with domain admin rights) identified?




Is automated deprovisioning enabled when employees leave?




Are service accounts monitored for misuse?




Is zero-trust architecture (e.g., least-privilege access) enforced?




Are physical access logs (e.g., server rooms) reviewed monthly?




Are third-party vendor accesses time-limited and audited?




Is AI-driven anomaly detection used for suspicious access patterns?




Are emergency access protocols tested annually (e.g., CEO override)?




Are employees trained annually on access security policies?




Is phishing-resistant MFA (e.g., YubiKeys) required for admins?




Are security drills (e.g., "regain access after IT manager departure") conducted?




Is separation of duties enforced (e.g., developers ≠ deployers)?




Are audit logs for access changes retained for 1+ year?




Is compliance with frameworks (e.g., ISO 27001, SOC 2) validated?




Are BYOD devices required to meet security standards?




Is AI/ML monitoring used to detect credential misuse?




Are contractors/subcontractors held to the same access policies?




Is blockchain-based identity verification being piloted?




Operational Resilience
Have you tested remote work capabilities during a simulated office outage?




Can your team operate without email for 24+ hours using alternate tools?




Are critical systems accessible via VPN/zero-trust networks?




Do employees have secured home workstations (firewalls, encrypted devices)?




Is BYOD (Bring Your Own Device) securely managed with MDM solutions?




Are collaboration tools (Teams, Slack) resilient to single-point failures?




Have you identified minimum bandwidth requirements for remote work?




Are backup internet connections (e.g., 4G/5G hotspots) provisioned?




Is cloud storage synced locally for offline access to critical files?




Are disaster recovery drills conducted biannually with remote teams?




Can customer-facing operations continue during an IT outage?




Are key personnel geographically distributed to mitigate regional disruptions?




Is remote access performance monitored and optimized?




Do you have a documented work-from-home (WFH) resilience policy?




Are legal/contractual risks of remote work (e.g., data sovereignty) addressed?




Do you have alternative communication channels (SMS, WhatsApp, Signal)?




Are emergency contact lists updated and accessible offline?




Is a mass notification system (e.g., Everbridge, PagerDuty) in place?




Can you broadcast status updates via social media or a public dashboard?




Are radio/satellite phones available for critical staff during outages?




Have you tested communication tools during internet blackouts?




Are communication escalation paths defined for crises?




Is multi-language support available for global teams?




Are communication logs archived for post-incident review?




Do you rotate primary/secondary communication tools to ensure readiness?




Have you identified manual workarounds for critical digital processes?




Are paper-based fallbacks (e.g., order forms, ledgers) available?




Can payroll, invoicing, and approvals function without IT systems?




Are emergency procurement procedures documented for hardware/software?




Is cross-training mandated for business-critical roles?




Have you mapped dependencies on third-party vendors for manual processes?




Are process checklists stored offline for emergency use?




Can customer service operate via phone/sms if digital channels fail?




Are backup payment methods (cash, checks) accepted during POS outages?




Is supply chain visibility maintained without digital tracking?




Have you tested manual inventory management during system failures?




Are legal/regulatory compliance processes executable offline?




Do you maintain offline copies of contracts and compliance docs?




Are manual data entry/reconciliation procedures documented?




Is there a post-outage catch-up process to sync manual/digital records?




Have you identified single points of failure in IT/OT infrastructure?




Are backup generators/fuel supplies tested quarterly?




Is there a secondary worksite or coworking space agreement?




Are supply chain risks (e.g., sole-source vendors) mitigated?




Do you stockpile critical spare parts/hardware?




Are cloud providers resilience claims audited (e.g., multi-region failover)?




Is transportation/logistics redundancy planned for deliveries?




Are employees trained to operate in low-tech environments?




Have you simulated a prolonged power/internet outage (72+ hours)?




Is resilience KPIs (e.g., MTTR, outage frequency) tracked and improved?




Cybersecurity & Data Protection
Malware & Phishing Protection
Have all employees completed anti-phishing training in the last 6 months?




Is security awareness training mandatory for new hires within 30 days?




Are simulated phishing tests conducted quarterly with varying difficulty levels?




Do you measure phishing click-through rates by department/role?




Are high-risk employees (finance, executives) given advanced training?




Is there a reward/recognition program for reporting phishing attempts?




Are training materials updated to reflect current threat trends (e.g., QR code scams)?




Do you conduct in-person security workshops for targeted teams?




Is gamification (e.g., quizzes, challenges) used to reinforce training?




Are contractors/temporary staff required to complete security training?




Are all email attachments scanned for malware before delivery?




Is URL rewriting used to inspect links in real time?




Are sender impersonation protections (DMARC, DKIM, SPF) enforced?




Is there a one-click "Report Phishing" button in email clients?




Are external email warnings (e.g., "This originated outside the organization") enabled?




Is graymail (bulk/newsletters) filtered to reduce phishing camouflage?




Are executive accounts monitored for impersonation attempts?




Is AI-based anomaly detection (e.g., unusual send patterns) in use?




Are BEC (Business Email Compromise) scenarios included in training?




Is email encryption used for sensitive communications?




Is enterprise-grade EDR/XDR (e.g., CrowdStrike, SentinelOne) deployed?




Are all devices (including BYOD) required to have endpoint protection?




Is behavioral analysis (e.g., ransomware detection) enabled?




Are USB/external storage devices blocked or encrypted?




Is application allowlisting (whitelisting) implemented?




Are endpoint firewalls configured to block malicious traffic?




Is device control (e.g., disabling Bluetooth/Wi-Fi) enforced for sensitive roles?




Are endpoint logs centralized for threat hunting?




Is vulnerability scanning performed weekly on endpoints?




Are unmanaged devices quarantined from the network?




Are OS and applications patched within 14 days of critical updates?




Is there a prioritized patch schedule based on exploitability?




Are zero-day vulnerabilities addressed within 48 hours?




Is automated patch deployment used for remote/work-from-home devices?




Are legacy systems (Windows 7, Server 2008) isolated or upgraded?




Are third-party software updates (e.g., Adobe, Zoom) tracked?




Is firmware patching (BIOS, network devices) included?




Are compensating controls used when patching isn't immediate?




Are patch failures investigated and remediated?




Is patch compliance reported to leadership monthly?




Are Office macros disabled by default (with exceptions via policy)?




Is web filtering used to block malicious/adult/risky sites?




Are login attempts from unusual locations/times flagged?




Is MFA enforced for all cloud/remote access?




Are privileged accounts monitored for unusual activity?




Is password manager usage mandated to prevent credential reuse?




Are RDP/VPN access restricted to specific IPs/devices?




Is session recording enabled for critical systems?




Are DNS filtering services (e.g., Cisco Umbrella) deployed?




Is AI-driven user behavior analytics (UBA) in use?




Ransomware Preparedness
Are backups air-gapped (physically/logically isolated from production)?




Are immutable backups (unalterable for a set period) enabled?




Can you restore critical systems within 24 hours of an attack?




Are backups tested quarterly for integrity and speed?




Are backup credentials separate from domain admin accounts?




Is backup monitoring in place to detect encryption attempts?




Are backups stored geographically (offsite/cloud)?




Is versioning enabled to recover pre-ransomware files?




Are backup systems patched as aggressively as production?




Are backup networks segmented (VLANs/firewalls)?




Can you recover individual files without full-system restoration?




Are backup logs audited for unauthorized access?




Is WORM (Write Once, Read Many) storage used for backups?




Are backup admins required to use MFA?




Are backup scripts/configs themselves backed up?




Is ransomware detection applied to backup repositories?




Are legal/compliance requirements for backup retention met?




Have you tested restoring to dissimilar hardware?




Are backup success rates monitored daily?




Is there a documented backup recovery playbook?




Are administrative accounts restricted with least privilege?




Is MFA required for all privileged accounts?




Is RDP secured (VPN-only, restricted IPs) or disabled if unused?




Are service accounts monitored for unusual activity?




Is just-in-time (JIT) access implemented for elevated privileges?




Are default passwords changed on all systems/devices?




Is privileged access management (PAM) software in use?




Are session recordings enabled for critical system access?




Are privileged workstations (PAWs) used for admin tasks?




Is role-based access control (RBAC) fully implemented?




Are inactive accounts automatically disabled after 30-90 days?




Are shared accounts prohibited (or tightly controlled)?




Is access reviewed quarterly for all privileged accounts?




Are break-glass accounts configured for emergencies?




Is credential stuffing protection (e.g., login attempt limits) enabled?




Are local admin rights restricted on endpoints?




Is privilege escalation monitored for anomalies?




Are third-party vendor accesses time-limited and audited?




Is zero-trust network access (ZTNA) implemented?




Are AI-driven access anomaly alerts configured?




Is behavioral-based ransomware detection enabled?




Are network file shares configured with least privilege access?




Is executable blocking enabled in high-risk locations (e.g., temp folders)?




Are email attachments with macros automatically blocked?




Is application allowlisting (whitelisting) implemented?




Are endpoint detection and response (EDR) tools deployed?




Is network traffic baselined for anomalies?




Are canary files (honeypots) placed to detect encryption attempts?




Is LSA protection enabled to prevent credential theft?




Are PowerShell constraints (logging, execution policies) enforced?




Is SMBv1 disabled across the network?




Are LLMNR/NBT-NS (protocols vulnerable to poisoning) disabled?




Is AMSI (Antimalware Scan Interface) enabled for script scanning?




Are unnecessary Windows services (e.g., WMI) disabled?




Is registry modification monitoring enabled?




Are scheduled tasks monitored for malicious creation?




Is DNS filtering (blocking malicious domains) implemented?




Are SIEM alerts configured for ransomware patterns?




Is threat intelligence integration (e.g., STIX/TAXII feeds) in place?




Are vulnerability scans run weekly to find attack vectors?




Do you have a documented ransomware response playbook?




Is there a clearly defined incident response team?




Are legal/PR contacts identified in the playbook?




Have you identified emergency funds for potential ransom decisions?




Are law enforcement contacts (e.g., FBI, CISA) documented?




Is there a public communication plan for customer notifications?




Are insurance policy details (cyber coverage) readily available?




Have you practiced tabletop ransomware scenarios?




Are forensic investigation procedures documented?




Is there a process for preserving evidence (logs, memory dumps)?




Are third-party breach coaches (legal/negotiation experts) identified?




Is there a system prioritization list for recovery?




Are alternative communication channels (SMS, radios) prepared?




Have you tested isolating infected systems without disrupting operations?




Are decryption options (e.g., ID Ransomware) bookmarked?




Is there a post-incident review process?




Are employees trained on ransomware response roles?




Are supply chain partners included in response planning?




Is ransomware-specific cyber insurance in place?




Have you simulated paying a ransom (data recovery testing)?




Is network segmentation (e.g., VLANs for critical systems) implemented?




Are unnecessary ports/services disabled across the network?




Is SMB signing enforced to prevent man-in-the-middle attacks?




Are Windows Defender Attack Surface Reduction (ASR) rules enabled?




Is LAPS (Local Admin Password Solution) deployed?




Are GPOs (Group Policy Objects) used to enforce security settings?




Is NTLM authentication deprecated in favor of Kerberos?




Are RDP gateways used instead of direct RDP exposure?




Is macro security set to "disable with notification"?




Are Windows event logs forwarded to a secure SIEM?




Is constrained PowerShell implemented?




Are admin shares (e.g., C,ADMIN,ADMIN) restricted?




Is credential guard enabled on Windows 10/11 Enterprise?




Are unnecessary browser plugins/extensions blocked?




Is USB storage restricted via device control policies?




Are Wi-Fi networks (especially guest networks) isolated?




Is NAC (Network Access Control) implemented?




Are default configurations hardened (e.g., CIS benchmarks)?




Is patch management automated for all systems?




Are annual red team exercises conducted?




DDoS Mitigation
Do you have DDoS protection for critical web services?




Have you tested your infrastructure's resilience to volumetric attacks?




Are critical services distributed across multiple availability zones?




Is there a defined DDoS response procedure?




Are DNS services protected against amplification attacks?




Do you have alternative communication channels during attacks?




Are network baselines established to detect abnormal traffic?




Have you reviewed ISP/cloud provider DDoS protections?




Are emergency contacts with your ISP documented?




Do you conduct annual DDoS response drills?




Zero-Day Threat Management
Is there a process to apply emergency patches within 48 hours?




Do you subscribe to zero-day vulnerability alerts?




Are compensating controls in place for unpatched systems?




Have you identified critical systems most vulnerable to zero-days?




Is network segmentation used to limit exploit spread?




Are default credentials changed on all systems?




Do you maintain an asset inventory for quick patch targeting?




Are emergency patch rollback procedures documented?




Have you tested workarounds for potential zero-day scenarios?




Is there a dedicated security team monitoring emerging threats?




Insider Threat Prevention
Are employee access rights reviewed quarterly?




Is terminated employee access revoked within 1 hour of departure?




Are role-based access controls (RBAC) implemented?




Is privileged access reviewed monthly?




Are access requests documented and approved?




Is segregation of duties (SoD) enforced for sensitive functions?




Are temporary access rights automatically revoked after expiration?




Is access granted on a need-to-know basis?




Are privileged accounts monitored in real-time?




Are service accounts regularly audited?




Is access history retained for 1+ years?




Are failed access attempts logged and reviewed?




Are privileged sessions recorded?




Is just-in-time (JIT) access used for elevated privileges?




Are shared accounts prohibited (or tightly controlled)?




Are default credentials changed on all systems?




Is MFA required for sensitive systems?




Are access patterns baselined for anomalies?




Is access revoked after repeated failed logins?




Are third-party vendor accesses time-limited?




Do you monitor for unusual data access patterns?




Are privileged user activities logged and audited?




Is data exfiltration monitoring in place?




Are unusual login times/locations flagged?




Is USB/removable media usage logged?




Are cloud storage uploads monitored?




Are print/export activities tracked?




Is email forwarding to external addresses restricted?




Are screen captures monitored on sensitive systems?




Is keyboard/mouse inactivity monitored for suspicious sessions?




Are large file transfers flagged?




Is AI/ML used to detect behavioral anomalies?




Are DLP (Data Loss Prevention) tools deployed?




Are SIEM alerts configured for insider threat patterns?




Are BYOD devices monitored for corporate data?




Is shadow IT usage detected?




Are VPN/logon sessions correlated with physical access logs?




Are privilege escalations audited?




Is data access correlated with job roles?




Are contractor activities monitored equally?




Is there a whistleblower policy for reporting concerns?




Are sensitive operations subject to dual approval?




Do you conduct exit interviews for departing IT staff?




Are BYOD devices subject to security controls?




Is there a clean desk policy enforced?




Are non-disclosure agreements (NDAs) signed annually?




Is remote work monitored for policy compliance?




Are social media policies addressing corporate data?




Is printing of sensitive documents restricted?




Are after-hours access requests scrutinized?




Is password sharing strictly prohibited?




Are screen locks enforced after 5 minutes of inactivity?




Is tailgating/physical access controlled?




Are meeting rooms cleared of sensitive materials?




Is data classification enforced?




Are personal cloud storage apps blocked?




Is BYOD network access segmented?




Are personal email access restricted on work devices?




Is USB device encryption required?




Are third-party audits conducted annually?




Is UEBA (User Entity Behavior Analytics) deployed?




Are endpoint detection and response (EDR) tools installed?




Is encryption enforced for data at rest and in transit?




Are DLP rules applied to email/cloud apps?




Is application allowlisting implemented?




Are print management systems used to track documents?




Is watermarking applied to sensitive documents?




Are keystroke dynamics analyzed for suspicious patterns?




Is printer accounting enabled?




Are cloud access security brokers (CASBs) deployed?




Is remote wipe capability enabled for mobile devices?




Are virtual desktops used for sensitive data?




Is data tokenization used where possible?




Are AI-driven anomaly detection systems in place?




Is blockchain used for audit trail immutability?




Are USB ports disabled on sensitive workstations?




Is screen capture software restricted?




Are time-of-day restrictions applied to critical systems?




Is automated policy enforcement configured?




Are honeypot files deployed to detect data theft?




Is insider threat awareness training conducted annually?




Are employees trained on reporting suspicious activity?




Is security culture measured through surveys?




Are managers trained to spot behavioral red flags?




Is mental health support available for stressed employees?




Are ethics training sessions mandatory?




Is gamification used for security training?




Are phishing simulations including insider threat scenarios?




Is turnover rate monitored by department?




Are employee satisfaction surveys conducted?




Is anonymous reporting encouraged?




Are security champions identified in each department?




Is positive reinforcement used for security compliance?




Are termination procedures standardized?




Is onboarding security training tailored by role?




Are contractors given equivalent security training?




Is social engineering resistance training provided?




Are family/partner awareness programs offered?




Is remote work security training specialized?




Are security metrics shared company-wide?




Supply Chain Risks
Have you assessed critical vendors' security postures?




Are software bills of materials (SBOMs) required for purchases?




Do you verify software integrity before installation?




Is there a process to respond to compromised vendor credentials?




Have you identified single-source vendor dependencies?




Are contractual cybersecurity requirements enforced?




Do you monitor for vendor-related data breaches?




Is there an approved vendor list with security ratings?




Have you tested alternative suppliers for critical components?




Are vendor remote access sessions recorded?




Cloud-Specific Threats
Are cloud admin accounts protected with MFA?




Is public access to cloud storage buckets restricted?




Are cloud activity logs reviewed for anomalies?




Have you configured cloud security posture management?




Are API keys and credentials rotated regularly?




Is data encrypted both in transit and at rest?




Have you tested cloud backup restoration procedures?




Are unused cloud services automatically disabled?




Do you monitor for suspicious cross-account activities?




Are cloud permissions reviewed monthly?




Mobile Security
Are mobile devices required to have passcodes?




Is remote wipe capability enabled for all devices?




Are work apps containerized from personal data?




Is jailbroken/rooted device detection in place?




Are public Wi-Fi connections restricted or secured?




Do you enforce minimum OS versions on devices?




Are mobile threat defense solutions deployed?




Is app permission management implemented?




Are SMS-based MFA methods being phased out?




Do you monitor for lost/stolen devices?




Physical Security
Are server rooms secured with access logs?




Is visitor access to tech areas restricted?




Are workstations set to auto-lock when idle?




Is sensitive paperwork securely shredded?




Are security cameras monitoring critical areas?




Is there a clean desk policy enforced?




Are backup media stored in fireproof safes?




Is tailgating at secured entrances prevented?




Are emergency power-off switches accessible?




Have you tested physical intrusion response?




Social Engineering
Are verification procedures in place for sensitive requests?




Is financial transaction confirmation required?




Have you simulated vishing (voice phishing) attacks?




Are social media policies for employees established?




Is sensitive information redacted in public filings?




Are executive protection protocols in place?




Have you assessed public data leakage risks?




Is there a process for verifying vendor changes?




Are emergency override procedures secured?




Do you conduct quarterly social engineering tests?




IoT/OT Security
Are all IoT devices on segregated networks?




Have default credentials been changed on IoT devices?




Is firmware updated on critical OT systems?




Are industrial control systems air-gapped where possible?




Is physical access to OT systems restricted?




Are anomaly detection systems monitoring OT networks?




Have you identified mission-critical OT components?




Are vendor remote accesses to OT systems monitored?




Is there an OT-specific incident response plan?




Have you tested OT system failover capabilities?




Emerging Threat Preparedness
Have you assessed AI-generated threat risks?




Is there a process for evaluating new attack vectors?




Are deepfake detection measures being considered?




Have you simulated a quantum computing breach scenario?




Are you tracking developments in adversarial machine learning?




Is there a budget allocated for future threat mitigation?




Have you reviewed space-based infrastructure risks?




Are you participating in threat intelligence sharing?




Is there a dedicated emerging threats research function?




Does your insurance cover novel cyber threats?




ISO 27001 Implementation
Have you established an Information Security Management System (ISMS)?




Is there a documented risk assessment methodology aligned with ISO 27001?




Are roles/responsibilities for information security clearly defined?




Have you identified all assets included in the ISMS scope?




Are security policies reviewed and updated annually?




Is there a process for internal ISO 27001 audits?




Have you conducted a Statement of Applicability (SoA) review?




Are employees regularly trained on ISO 27001 policies?




Is there a process for reporting and handling security incidents?




Are supplier security risks assessed per ISO 27001 requirements?




Is access control based on need-to-know principles?




Are cryptographic controls documented and implemented?




Is physical security aligned with ISO 27001 Annex A?




Are operations procedures documented and controlled?




Is there a formal change management process?




Are technical vulnerabilities managed per ISO 27001?




Is business continuity planning integrated with the ISMS?




Are compliance obligations documented and tracked?




Have you addressed all applicable Annex A controls?




Is management review of the ISMS conducted annually?




NIST Cybersecurity Framework
Have you identified all critical business functions (NIST Identify)?




Is there a complete asset inventory with risk classifications?




Are cybersecurity roles and responsibilities documented?




Have you established risk assessment procedures (NIST SP 800-30)?




Are access controls implemented per NIST 800-53?




Is there a continuous monitoring program (NIST Detect)?




Are security awareness trainings conducted annually?




Have you implemented multi-factor authentication (NIST 800-63B)?




Is there an incident response plan aligned with NIST SP 800-61?




Are recovery time objectives (RTOs) defined for critical systems?




Is encryption used per NIST FIPS 140-2 validated modules?




Are vulnerability scans conducted monthly?




Is patch management aligned with NIST guidelines?




Are backups tested annually for recoverability?




Is there a process for reporting to CISA (US organizations)?




Have you conducted a NIST CSF gap assessment?




Are third-party risks assessed using NIST SP 800-171?




Is mobile device security aligned with NIST guidelines?




Are cloud security controls mapped to NIST SP 800-145?




Is there a process for continuous framework improvement?




GDPR & HIPAA Compliance
Have you identified all personal data processing activities?




Is there a lawful basis documented for each processing activity?




Are Data Protection Impact Assessments (DPIAs) conducted?




Is there a process for handling data subject requests?




Are data processing agreements (DPAs) in place with vendors?




Have you appointed a Data Protection Officer (if required)?




Is there a process for reporting breaches within 72 hours?




Are privacy notices regularly reviewed and updated?




Is data minimization practiced in collection/storage?




Are international data transfers compliant (SCCs, etc.)?




Are PHI access logs reviewed quarterly (HIPAA)?




Is there a designated HIPAA Security Officer?




Are BAAs signed with all relevant business associates?




Is ePHI encrypted at rest and in transit?




Are workforce members trained on HIPAA annually?




Is there a process for sanitizing media containing PHI?




Are authentication controls implemented for ePHI access?




Is there an emergency mode operation plan?




Are security incidents documented and analyzed?




Are compliance audits conducted annually?




Penetration Testing & Vulnerability Management
Are penetration tests conducted annually (or after major changes)?




Do pentests include both external and internal assessments?




Are critical systems included in every pentest scope?




Is remediation tracked to completion?




Are vulnerability scans run at least quarterly?




Are scan results reviewed by qualified personnel?




Is there a risk-based prioritization process for vulnerabilities?




Are zero-day vulnerabilities addressed within 48 hours?




Are compensating controls documented for unpatched vulns?




Is there a process for third-party vulnerability disclosure?




Data Protection & Encryption
Is all sensitive data encrypted at rest?




Is TLS 1.2+ enforced for all data in transit?




Are encryption keys managed securely (HSMs/KMS)?




Is end-to-end encryption used for sensitive communications?




Are backup encryption keys stored separately from data?




Is there a key rotation policy (e.g., annual for PII)?




Are deprecated protocols (SSLv3, TLS 1.0) disabled?




Is certificate validity monitored and renewed automatically?




Are encrypted data transfers required for remote work?




Is encryption strength appropriate for data classification?




Software & Enterprise Applications
CRM Systems
Platform Selection & Architecture
Which CRM platform best aligns with your company size and industry?




Have you compared total cost of ownership (TCO) for Salesforce vs. Dynamics 365?




Is your CRM deployed as cloud/SaaS, on-premise, or hybrid?




Does your CRM support mobile offline access for field teams?




Are you using the CRM's latest stable version with all patches?




Have you configured multi-factor authentication (MFA) for all CRM logins?




Is your CRM instance compliant with regional data residency laws?




Does your CRM integrate with your email/calendar system?




Are API call limits monitored to prevent service disruptions?




Have you tested CRM failover capabilities during outages?




(Salesforce) Have you optimized Lightning vs. Classic features?




(Dynamics 365) Are you using Unified Interface?




(HubSpot) Have you scaled beyond Marketing Hub starter features?




(Zoho) Are you leveraging Zia AI capabilities?




Lead & Contact Management
Is there a standardized process for lead capture/form submission?




Are duplicate records automatically detected and merged?




Do contact records show complete interaction history?




Are lead scoring rules aligned with sales priorities?




Is there a process for re-engaging stale leads?




Can you track lead source/channel effectiveness?




Are contacts automatically enriched with third-party data?




Do team members log all customer interactions?




Is GDPR/CCPA compliance configured for contact data?




Can you segment contacts by custom attributes?




Pipeline & Opportunity Management
Is your sales pipeline visually mapped in the CRM?




Are deal stages customized to your sales process?




Do forecasts automatically adjust based on pipeline changes?




Are probability percentages tied to specific deal actions?




Can you track competitor involvement in opportunities?




Is there a process for escalating stuck deals?




Are sales quotas and territories configured correctly?




Can you generate pipeline health reports?




Are lost reasons analyzed to improve win rates?




Is there integration between quotes and opportunities?




Integrations & Data Flow
Is CRM data synced bi-directionally with your ERP?




Are marketing automation leads flowing into the CRM?




Does customer service software log cases in the CRM?




Are e-commerce transactions recorded in customer profiles?




Is accounting software integrated for invoice tracking?




Can you trigger workflows from CRM events?




Are custom APIs/loggers monitoring integration health?




Is third-party data (ZoomInfo, Clearbit) enriching records?




Have you tested integration failure scenarios?




Are integration credentials securely stored/rotated?




AI & Automation
Are lead prioritization scores AI-generated?




Does your CRM suggest next-best actions for deals?




Are chatbots handling tier-1 customer inquiries?




Is sentiment analysis applied to customer emails?




Are forecasting models using machine learning?




Does the CRM detect unusual deal movements?




Are automated follow-ups triggered by engagement data?




Can the CRM recommend optimal contact times?




Are knowledge base articles AI-suggested during cases?




Have you audited AI recommendations for bias?




Analytics & Adoption
Can you track CRM adoption rates by user/team?




Are dashboards customized for different roles?




Do reps receive automated activity reports?




Can you measure sales cycle length by product?




Is customer lifetime value (LTV) calculated?




Are you tracking campaign ROI through the CRM?




Can you forecast revenue under multiple scenarios?




Are custom report folders permission-controlled?




Do field teams have mobile analytics access?




Are data exports controlled and audited?




Security & Compliance
Are role-based permissions regularly reviewed?




Can you track all record access/changes?




Is PII/PCI data masked in reports?




Are inactive users automatically deprovisioned?




Is CRM data included in backup routines?




Are SSO and IP restrictions configured?




Can you meet legal hold requirements?




Are API integrations using OAuth 2.0?




Is there a process for data subject requests?




Have you tested ransomware recovery for CRM data?




Admin & Optimization
Is there a CRM steering committee?




Are release notes reviewed before updates?




Have you optimized page layouts for key objects?




Are validation rules preventing bad data entry?




Is there a sandbox for testing changes?




Are unused fields/features archived?




Do you monitor API call volume/limits?




Are custom indexes improving report performance?




Have you reviewed AppExchange/app security?




Is there a CRM roadmap aligned to business goals?




ERP & Business Management
Platform & Architecture
Which ERP best matches your organizational complexity (SAP for enterprises, Dynamics for mid-market)?




Have you calculated TCO including licensing, customization, and support?




Is your ERP cloud-hosted, on-premise, or hybrid?




Are critical ERP modules (finance, inventory) highly available?




Is there a disaster recovery plan for ERP systems?




Are ERP interfaces optimized for mobile access?




Do you conduct annual ERP version/feature reviews?




Are integrations with other systems (CRM, BI) fully documented?




Is MFA enforced for all ERP logins?




Have you tested failover during peak operational periods?




(SAP) Are you using S/4HANA or considering migration?




(Oracle) Have you optimized Fusion Cloud modules?




(Dynamics) Are you leveraging Power Platform integrations?




Financial Management
Does ERP automate period-end closing procedures?




Are financial reports customizable for different entities?




Can you track budgets vs. actuals in real-time?




Is multi-currency handling automated?




Are audit trails maintained for all journal entries?




Does the ERP prevent duplicate invoice payments?




Are tax calculations compliant with regional regulations?




Can you generate consolidated financial statements?




Is there role-based access for sensitive financial data?




Are bank reconciliations automated?




Supply Chain & Inventory
Does ERP provide real-time inventory visibility?




Are reorder points automatically calculated?




Can you track items by batch/serial number?




Does the ERP support demand forecasting?




Are purchase approvals workflow-driven?




Can you compare vendor performance metrics?




Is MRP/MPS functionality being utilized?




Are landed costs automatically calculated?




Does the ERP integrate with warehouse systems?




Are cycle counts automated?




HR & Payroll
Is employee self-service enabled?




Does the ERP handle multi-country payroll?




Are benefits enrollment workflows automated?




Can you track training/certifications?




Is time tracking integrated with payroll?




Does the ERP support org chart management?




Are recruitment processes streamlined?




Is there GDPR compliance for employee data?




Can managers access team performance data?




Are payroll audits conducted quarterly?




Analytics & Optimization
Are real-time dashboards available to decision-makers?




Can you simulate "what-if" scenarios?




Is there a single source of truth across modules?




Are unused ERP features costing unnecessary licenses?




Do you measure process cycle time improvements?




Are there automated alerts for anomalies?




Can users build custom reports without IT help?




Is AI/ML being used for predictive analytics?




Have you identified top 5 ERP inefficiencies?




Is there a 3-year ERP roadmap aligned to strategy?




Productivity & Collaboration
Platform Selection & Setup
Have you standardized on Microsoft 365 or Google Workspace as your primary platform?




Are all user accounts provisioned through centralized identity management?




Is multi-factor authentication (MFA) enforced for all users?




Have you configured data retention policies for emails/files?




Are mobile device management (MDM) policies in place?




Is external sharing of documents properly restricted?




Have you disabled legacy protocols (IMAP, POP3) for security?




Are admin roles properly segregated (e.g., Helpdesk vs. Global Admin)?




Is version history enabled for critical documents?




Have you established naming conventions for files/teams?




Core Productivity Tools
Are email signatures standardized and compliant?




Is Teams/Meet used consistently for internal meetings?




Are shared calendars properly maintained?




Do you use shared drives/SharePoint instead of personal storage?




Are document templates available for common workflows?




Is real-time co-authoring actively used?




Are @mentions/comments utilized effectively?




Have you disabled unnecessary add-ins/plugins?




Is Viva Insights/Google Work Insights used to measure productivity?




Are keyboard shortcuts promoted to improve efficiency?




Project Management Tools
Have you standardized on Jira, Asana, Trello, or Monday.com?




Are projects structured with clear workflows/stages?




Is there integration between PM tools and email/calendar?




Are tasks automatically assigned based on triggers?




Do dashboards show project health at a glance?




Are time estimates vs. actuals tracked?




Is there documentation for recurring projects?




Can stakeholders view progress without manual reports?




Are dependencies between tasks clearly mapped?




Is resource allocation optimized across projects?




Collaboration & Communication
Are channels/workspaces organized by function (not person)?




Is there a clear policy for chat vs. email vs. tickets?




Are important announcements consistently posted in designated spaces?




Have you reduced redundant group chats?




Are meeting recordings systematically stored?




Is live captioning/transcription enabled for accessibility?




Are guest users properly managed and audited?




Do you use polls/surveys for quick feedback?




Are knowledge bases integrated with chat tools?




Have you eliminated shadow IT communication apps?




Security & Compliance
Are sensitive documents automatically classified/protected?




Is conditional access configured for risky logins?




Are external collaborators regularly reviewed?




Are backups performed for critical Teams/Drive data?




Is DLP (Data Loss Prevention) configured?




Are third-party app permissions regularly audited?




Are meetings configured to prevent "Zoom bombing"?




Is content search/eDiscovery properly configured?




Are audit logs retained for compliance periods?




Custom Software & Low-Code
Platform Strategy & Governance
Have you established a center of excellence for low-code development?




Is there a business case approval process for new custom apps?




Are citizen developers properly trained and certified?




Have you defined which use cases are appropriate for low-code vs pro-code?




Is there a license management process to avoid overspending?




Are application portfolios regularly reviewed for redundancy?




Have you set scalability limits for low-code solutions?




Is there a disaster recovery plan for mission-critical apps?




Are development standards documented and enforced?




Do you measure ROI on custom solutions vs off-the-shelf?




Power Platform/OutSystems Implementation
Are environments properly segregated (dev/test/prod)?




Is solution packaging used for deployments?




Are connection references managed centrally?




Have you implemented ALM (Application Lifecycle Management)?




Are custom connectors properly secured and documented?




Is CoE Starter Kit deployed (for Power Platform)?




Are application permissions reviewed quarterly?




Have you configured DLP (Data Loss Prevention) policies?




Are premium connectors usage justified and monitored?




Is there backup/restore process for canvas apps?




Are OutSystems lifetime apps being phased out?




Have you optimized reactive vs traditional web apps?




Are mobile apps tested across device types?




Is performance monitoring enabled for critical apps?




Have you established app retirement criteria?




DevOps & CI/CD Pipelines
Are source control systems (Git/Azure DevOps) integrated?




Is there automated testing in your deployment pipelines?




Are build/release pipelines properly documented?




Have you implemented environment variables for configurations?




Are secrets/credentials managed through Key Vault/equivalent?




Do pipelines include static code analysis?




Is there rollback capability for failed deployments?




Are deployment approvals required for production?




Have you set pipeline timeout thresholds?




Are build artifacts properly versioned and stored?




Is infrastructure-as-code used where applicable?




Are deployment logs retained for compliance?




Have you implemented canary deployments?




Is there monitoring/alerting for pipeline failures?




Are developer sandboxes properly isolated?




Security & Compliance
Are all apps included in your vulnerability management program?




Is RBAC (Role-Based Access Control) implemented consistently?




Have you conducted penetration tests on critical apps?




Are OAuth tokens regularly rotated?




Is PII data properly identified and protected?




Are audit logs enabled and monitored?




Do apps comply with corporate branding/accessibility standards?




Are third-party components vetted for security risks?




Have you tested malformed input handling?




Is there a process for security patching custom solutions?




Digital Marketing & E-Commerce
Marketing Automation
Platform & Setup
Which marketing automation platform (HubSpot, Marketo, Pardot) best fits your business needs?




Have you integrated your CRM with your marketing automation tool?




Is your contact database properly segmented for targeting?




Are you using a dedicated IP for email sending (if high volume)?




Have you configured domain authentication (SPF, DKIM, DMARC)?




Are unsubscribe/compliance settings properly configured?




Do you have a lead scoring model aligned with sales priorities?




Are tracking pixels correctly implemented for campaign attribution?




Have you set up UTM parameters for campaign tracking?




Is there a documented onboarding process for new marketing users?




Email Marketing
Are email templates branded and mobile-responsive?




Do you A/B test subject lines, CTAs, or send times?




Is dynamic content used to personalize emails?




Are list hygiene practices in place (e.g., removing bounces)?




Do you have a re-engagement campaign for inactive contacts?




Are transactional emails (e.g., confirmations) automated?




Is there a clear email sending frequency strategy?




Are spam filters regularly checked (e.g., Litmus, GlockApps)?




Do you track email reply rates (not just opens/clicks)?




Are win/loss emails triggered based on CRM updates?




Lead Nurturing & Scoring
Are lead nurturing workflows aligned with buyer journeys?




Do you have different nurture tracks for different segments?




Is behavioral scoring used (e.g., website visits, email engagement)?




Are demographic scoring rules applied (e.g., job title, industry)?




Do sales teams agree with lead scoring thresholds?




Are MQLs (Marketing Qualified Leads) properly handed off to sales?




Is there a lead recycling process for disqualified leads?




Are negative scoring rules in place (e.g., unsubscribes)?




Do you track lead velocity (time between stages)?




Are scoring models reviewed quarterly for accuracy?




Campaign Execution
Are campaign calendars used to avoid email fatigue?




Do you have trigger-based campaigns (e.g., abandoned cart)?




Are multi-touch attribution models in place?




Do you run retargeting campaigns based on website behavior?




Are offline conversions (calls, events) tracked in the system?




Is AI-driven send time optimization being used?




Are suppression lists maintained to avoid over-messaging?




Do you sync ad engagement data (e.g., LinkedIn, Facebook)?




Are seasonal/promotional campaigns planned in advance?




Is there a post-campaign analysis process?




Reporting & Optimization
Do you track campaign ROI (revenue influenced vs. spend)?




Are conversion rates monitored at each funnel stage?




Do you measure email deliverability and inbox placement?




Is lead-to-customer conversion rate improving over time?




Are sales feedback loops used to refine campaigns?




Do you benchmark performance against industry standards?




Are AI/ML insights (e.g., HubSpot predictive lead scoring) utilized?




Is A/B testing data systematically applied to future campaigns?




Are budget allocations adjusted based on channel performance?




Is there a quarterly marketing automation audit?




E-Commerce Platform
Platform Selection & Setup
Which e-commerce platform (Shopify, Magento, WooCommerce) best fits your business needs?




Is your platform optimized for mobile users (responsive design, fast load times)?




Have you configured multi-currency/multi-language support (if selling globally)?




Are you using a headless commerce setup for better customization?




Is your checkout process streamlined (minimal steps, guest checkout option)?




Have you set up automatic tax calculations based on location?




Are product catalogs well-organized with filters and search functionality?




Do you have a staging environment for testing updates before going live?




Is inventory synced in real-time across all sales channels?




Are you using progressive web app (PWA) features for better UX?




Payment Gateways & Security
Do you support multiple payment options (credit cards, PayPal, Apple Pay, etc.)?




Is your payment gateway PCI-DSS compliant?




Have you enabled 3D Secure authentication for fraud prevention?




Are failed transactions analyzed for recurring issues?




Do you offer installment payment options (e.g., Klarna, Afterpay)?




Is tokenization used to securely store payment details?




Are chargeback rates monitored and minimized?




Have you tested fallback payment gateways in case of outages?




Are fraud detection tools (e.g., Signifyd, Riskified) integrated?




Is SSL/TLS encryption enforced across the entire site?




Cart Recovery & Retention
Do you have abandoned cart emails triggered within 1-24 hours?




Are exit-intent popups used to capture leaving visitors?




Have you tested discount incentives for cart recovery?




Is browser push notification retargeting enabled?




Do you offer free shipping thresholds to reduce abandonment?




Are cart abandonment rates tracked and optimized?




Have you implemented SMS cart recovery campaigns?




Do you use personalized recommendations to recover lost sales?




Are retargeting ads (Facebook, Google) used to bring back visitors?




Is customer account data leveraged for personalized follow-ups?




Performance & Scalability
Is your site speed optimized (under 3s load time)?




Have you tested peak traffic handling (e.g., Black Friday readiness)?




Are CDN (Content Delivery Network) services being used?




Is caching properly configured (Redis, Varnish, etc.)?




Are image/file sizes optimized for faster loading?




Do you conduct regular load testing before major promotions?




Is your hosting plan scalable for sudden traffic spikes?




Are database queries optimized to prevent slowdowns?




Have you minimized third-party script bloat?




Is server uptime monitored (99.9%+ target)?




Analytics & Optimization
Are Google Analytics 4 (GA4) & Enhanced E-commerce tracking set up?




Do you track customer lifetime value (LTV) by acquisition channel?




Are A/B tests run regularly (landing pages, CTAs, checkout flow)?




Is heatmap/scroll tracking (Hotjar, Crazy Egg) used to improve UX?




Are conversion funnels analyzed for drop-off points?




Do you measure ROAS (Return on Ad Spend) per campaign?




Are product return rates analyzed to improve listings?




Have you implemented AI-driven product recommendations?




Is seasonal performance data used for inventory planning?




Do you conduct quarterly e-commerce audits?




Customer Data Platforms (CDP)
Data Integration & Unification
Does your CDP ingest data from all customer touchpoints (web, mobile, CRM, email, POS)?




Are customer identities resolved across devices/channels (deterministic vs. probabilistic)?




Is first-party data prioritized over third-party data?




Are data silos eliminated (e.g., marketing vs. sales data)?




Does the CDP update profiles in real-time (not batch processing)?




Are offline interactions (call center, in-store) integrated?




Is there a data quality validation process (duplicates, errors)?




Are consent preferences (GDPR, CCPA) tracked and enforced?




Can you manually enrich profiles with supplemental data?




Is historical data retained for trend analysis?




Segmentation & Personalization
Can you create dynamic segments (e.g., "abandoned cart + high-LTV")?




Are predictive segments (e.g., churn risk) automatically generated?




Do segments update in real-time based on behavior?




Can you exclude overlapping segments (e.g., "loyalty members" vs. "discount seekers")?




Are lookalike audiences modeled for prospecting?




Is personalization (emails, ads, web) driven by CDP segments?




Can you A/B test segment performance?




Are seasonal/temporary segments (e.g., holiday shoppers) used?




Do you measure segment lift in conversion rates?




Are B2B firmographics (for account-based marketing) included?




Activation & Orchestration
Does the CDP sync segments to all activation tools (email, ads, CRM)?




Can you trigger real-time campaigns (e.g., browse abandonment alerts)?




Are customer journeys visualized and optimized in the CDP?




Is there cross-channel frequency capping (avoid over-messaging)?




Does the CDP suppress inactive/unsubscribed users automatically?




Can you export raw data for custom analytics?




Are AI recommendations (next-best-action) enabled?




Is offline-to-online attribution (e.g., in-store purchases from digital ads) tracked?




Do you measure incremental lift from CDP-driven campaigns?




Are compliance logs maintained for data usage?




Analytics & Insights
Does the CDP provide unified customer lifetime value (LTV) reporting?




Can you analyze paths to conversion across channels?




Are cohort analyses (e.g., repeat purchase rates) available?




Is churn/retention analysis automated?




Do you track channel overlap (e.g., users who see ads + emails)?




Are anomalies (sudden drops in engagement) flagged?




Can you forecast customer behavior (e.g., demand surges)?




Is ROI by segment/channel calculable?




Are data drift alerts (sudden profile changes) configured?




Do you benchmark performance against industry standards?




Governance & Compliance
Is PII (Personally Identifiable Information) masked for analysts?




Can you fully delete a customer (right to erasure)?




Are access controls (RBAC) enforced for sensitive data?




Is data lineage (source → CDP → activation) documented?




Are consent changes reflected across systems within 24 hours?




Do you conduct quarterly compliance audits?




Is data minimization practiced (only collect what's needed)?




Are breach response protocols documented?




Have you tested data subject access requests (DSARs)?




Is AI model bias monitored in segmentation/predictions?




SEO, PPC & Personalization
SEO Strategy
Is your keyword research updated quarterly based on search trends?




Are title tags & meta descriptions optimized for CTR and relevance?




Does your site have a clear internal linking structure?




Are URLs SEO-friendly (readable, keyword-rich, no duplicates)?




Is schema markup implemented for rich snippets?




Are image alt texts optimized for accessibility and SEO?




Is your site speed (Core Web Vitals) within Google benchmarks?




Do you have a backlink profile with high-authority sources?




Are local SEO signals (Google My Business, citations) optimized?




Is technical SEO (crawlability, indexability) audited monthly?




Google Ads & PPC
Are campaigns structured by intent (branded, non-branded, competitor)?




Is negative keyword management actively maintained?




Are ad extensions (sitelinks, callouts, structured snippets) fully utilized?




Do you use Smart Bidding (Max Conversions, Target ROAS) effectively?




Are search term reports analyzed weekly to refine targeting?




Is RLSA (Remarketing Lists for Search Ads) implemented?




Are Performance Max campaigns optimized with high-quality assets?




Do you A/B test ad copy & creatives monthly?




Is conversion tracking accurately set up across all campaigns?




Are audience signals layered in for better targeting?




Meta (Facebook/Instagram) Ads
Are campaign objectives aligned with funnel stages (awareness, consideration, conversion)?




Is Creative Testing (A/B, Dynamic) used to refine ad performance?




Are Lookalike Audiences (LAL) based on high-value customer segments?




Do you use Advantage+ Shopping for e-commerce campaigns?




Is CAPI (Conversion API) implemented for better tracking accuracy?




Are placement optimizations (Reels, Stories, Feed) tested?




Do you exclude overlapping audiences to avoid ad fatigue?




Are video ads optimized for sound-off viewing?




Is frequency capping applied to prevent overexposure?




Are lead forms (Instant Forms) used for lower-friction conversions?




A/B & Multivariate Testing
Are landing pages tested for conversion rate optimization (CRO)?




Do you test headlines, CTAs, and hero images systematically?




Is statistical significance (95%+ confidence) confirmed before declaring winners?




Are exit-intent popups tested for engagement vs. intrusiveness?




Do you experiment with personalized vs. generic messaging?




Are mobile vs. desktop experiences tested separately?




Is dynamic content (geotargeting, behavior-based) A/B tested?




Do you run sequential testing (e.g., headline → CTA → layout)?




Are failed tests documented to avoid repetition?




Is AI-driven testing (e.g., Google Optimize, Optimizely) leveraged?




Personalization & Dynamic Content
Are product recommendations (e.g., "Frequently Bought Together") personalized?




Is geotargeting used for localized offers/inventory?




Do logged-in users see behavior-based dynamic content?




Are abandoned cart reminders personalized with left items?




Is email/SMS marketing dynamically tailored to user actions?




Are pricing/promotions adjusted based on user segments?




Do you use AI-driven personalization (e.g., Adobe Target, Dynamic Yield)?




Are seasonal/holiday personalizations pre-planned?




Is real-time behavior triggering (e.g., "You just viewed X") enabled?




Do you measure lift in engagement from personalization?




Digital Transformation & Emerging Tech
Generative AI (ChatGPT, Copilot, Gemini)
Have you identified high-impact use cases for generative AI in your business?




Are employees trained on responsible AI usage (data privacy, bias mitigation)?




Is there a governance policy for AI-generated content?




Have you tested AI-assisted customer service (chatbots, email drafting)?




Are legal/ethical risks of AI adoption assessed (copyright, hallucinations)?




Do you use AI for content generation (blogs, product descriptions, ads)?




Is AI-powered data analysis (e.g., sentiment, trends) integrated into workflows?




Are prompt engineering best practices documented for teams?




Have you evaluated cost vs. ROI of AI tools (API calls, subscriptions)?




Is AI-augmented coding (GitHub Copilot) used by your dev team?




Process Automation (RPA - UiPath, Blue Prism, Power Automate)
Are repetitive tasks (data entry, invoicing) automated?




Is there an RPA Center of Excellence to manage bots?




Are automated workflows integrated with legacy systems?




Do you monitor bot performance/failures in real time?




Are human-in-the-loop approvals built into critical automations?




Have you quantified FTE savings from RPA?




Is process mining used to identify automation opportunities?




Are RPA scripts version-controlled and documented?




Have you tested attended vs. unattended RPA?




Is AI + RPA (e.g., document processing with NLP) being piloted?




Predictive & Decision AI
Are predictive analytics used for demand forecasting?




Do you use AI-driven pricing optimization?




Is anomaly detection (fraud, ops failures) automated?




Are AI recommendations (upsell/cross-sell) fed to sales teams?




Have you implemented AI-powered HR tools (resume screening, attrition prediction)?




Is computer vision (quality control, inventory tracking) in use?




Are voice assistants (e.g., call center AI) deployed?




Do you measure AI model drift and retrain periodically?




Is A/B testing used to validate AI recommendations?




Are AI ethics reviews conducted for high-stakes applications?




Blockchain & Smart Contracts
Have you evaluated blockchain for supply chain transparency?




Are smart contracts used for automated payments/agreements?




Is tokenization (digital assets, loyalty points) being explored?




Do you use blockchain for identity verification?




Have you assessed energy-efficient consensus mechanisms (e.g., PoS vs. PoW)?




Are regulatory risks (crypto, data laws) addressed?




Is interoperability with other blockchains tested?




Have you piloted DeFi (decentralized finance) applications?




Are audit trails immutable and verifiable?




Is blockchain-as-a-service leveraged?




IoT & Edge Computing
Are IoT sensors deployed for asset tracking/condition monitoring?




Is predictive maintenance enabled via IoT data?




Are edge devices processing data locally to reduce latency?




Is 5G/Wi-Fi 6 used for high-bandwidth IoT networks?




Are IoT security protocols (encryption, firmware updates) enforced?




Do you aggregate IoT data into central dashboards?




Have you tested digital twins for simulation/analysis?




Are energy-efficient IoT protocols (LoRaWAN, Zigbee) in use?




Is AI at the edge (e.g., real-time video analytics) implemented?




Are IoT ROI metrics (uptime, cost savings) tracked?




Augmented & Virtual Reality
Are AR product previews (e.g., "try before you buy") offered?




Is VR training used for high-risk scenarios (equipment ops, safety)?




Have you tested AR for field service (remote expert assistance)?




Are 3D virtual showrooms integrated with e-commerce?




Do you use AR for interactive manuals/maintenance?




Is WebXR leveraged for browser-based AR/VR experiences?




Are hardware requirements (headsets, phones) assessed for scalability?




Have you measured engagement metrics (session time, completion rates)?




Is spatial computing (Apple Vision Pro, Meta Quest) being piloted?




Are AR/VR content creation pipelines established?




Metaverse & Web3
Have you defined a metaverse strategy (brand presence, commerce)?




Are virtual events (conferences, product launches) hosted?




Is NFT-based membership/loyalty being explored?




Do you have digital asset ownership policies?




Are avatar-based customer service options tested?




Is interoperability between metaverse platforms considered?




Have you assessed monetization models (virtual goods, ads)?




Are community moderation tools in place for virtual spaces?




Is VR collaboration (Microsoft Mesh, Horizon Workrooms) used?




Do you track metaverse user demographics/behavior?




Emerging Interfaces
Is haptic feedback integrated for immersive experiences?




Are voice/gesture controls supported in AR/VR?




Have you tested neural interfaces (EEG, EMG) for accessibility?




Is 3D spatial audio implemented?




Are light-field displays being evaluated for realism?




Customer Support & Omnichannel
Helpdesk & Ticketing
Platform & Workflow
Is your helpdesk software (Zendesk, Freshdesk, ServiceNow) optimized for your business size?




Are ticket categories/priorities clearly defined (e.g., P1-P4)?




Is there automated ticket routing based on issue type/agent skills?




Are SLAs (response/resolution times) configured and tracked?




Do you use canned responses/macros for common queries?




Are customer satisfaction (CSAT) surveys sent post-resolution?




Is there escalation paths for complex issues?




Are ticket backlogs analyzed weekly for recurring problems?




Do agents have real-time dashboards for performance tracking?




Is AI-assisted ticket tagging/summarization in use?




Integration & Automation
Is the helpdesk integrated with your CRM (e.g., Salesforce)?




Are internal collaboration tools (Slack, Teams) linked to tickets?




Do tickets auto-create from emails/chat/social media?




Are time-tracking tools used for agent productivity?




Is voice-to-text transcription enabled for call logs?




Can customers track ticket status via a self-service portal?




Are knowledge base articles suggested during ticket handling?




Do you use predictive analytics to forecast ticket volumes?




Are ticket workflows automated (e.g., follow-ups, closures)?




Is sentiment analysis applied to ticket content?




Agent Experience
Are agent scripts/playbooks available for consistency?




Is gamification (badges, rewards) used to motivate teams?




Are screen recordings of customer sessions reviewed for training?




Do you measure First Contact Resolution (FCR) rates?




Is AI-powered agent assist (suggested replies) enabled?




Are shift schedules optimized for peak demand times?




Do agents have single sign-on (SSO) to all required tools?




Are voice/video calls logged as tickets?




Is multilingual support available for global customers?




Are agent burnout metrics (e.g., ticket load) monitored?




Omnichannel Support
Chatbots & Live Chat
Do AI chatbots handle Tier-1 queries (24/7 availability)?




Is there seamless chatbot-to-human handoff?




Are chatbot conversations audited for accuracy?




Can chatbots authenticate users for account-specific help?




Are chatbot intents regularly updated based on new queries?




Is proactive chat (e.g., exit-intent offers) enabled?




Do chatbots integrate with order/account systems?




Are chatbot fallback scenarios (escalation paths) tested?




Is chatbot personality/tone aligned with brand voice?




Are chatbot analytics (resolution rate, deflection rate) tracked?




Social Media & Messaging
Are social media mentions/DMs (Twitter, Facebook) monitored?




Is WhatsApp/Instagram Messaging used for support?




Are messaging apps integrated with your helpdesk?




Do you enforce response time targets for social channels?




Is social media sentiment analysis automated?




Are crisis response protocols in place for viral complaints?




Can customers start on social media and continue via email/chat?




Are social media support hours clearly communicated?




Do you archive/delete resolved social conversations for compliance?




Are social agents trained in brand tone and de-escalation?




Email & Phone
Are email templates personalized and brand-consistent?




Is IVR (Interactive Voice Response) optimized for quick routing?




Do you offer callback options to avoid hold times?




Are call recordings used for quality assurance?




Is speech analytics applied to call center conversations?




Are email response times benchmarked against industry standards?




Do you A/B test email subject lines for open rates?




Is call deflection (e.g., chatbot/FAQ suggestions) implemented?




Are after-hours voicemails converted to tickets?




Is call center downtime (e.g., outages) proactively communicated?




Knowledge Management
Self-Service Portals
Is your help center/search function easy to navigate?




Are FAQs dynamically updated based on trending queries?




Can users submit tickets directly from the knowledge base?




Is content translated for global audiences?




Do you track knowledge base engagement (views, search terms)?




Are videos/visual guides available for complex topics?




Is there a feedback loop for outdated/confusing articles?




Are knowledge base analytics (reduction in tickets) measured?




Can users comment/rate articles for improvement?




Is single sign-on (SSO) required for secure articles?




AI & Continuous Improvement
Does AI suggest relevant articles during live chats?




Are unresolved tickets mined for new knowledge gaps?




Is natural language search (e.g., semantic understanding) enabled?




Do you auto-generate knowledge base drafts from ticket resolutions?




Are content expiration dates set for time-sensitive guides?




Is knowledge base SEO optimized for external search traffic?




Are internal wikis (e.g., Confluence) synced with customer content?




Is AI-powered content summarization (TL;DR) available?




Are knowledge base contributors incentivized?




Have you tested AI voice assistants for hands-free self-service?




Telecommunications & Unified Comms
VoIP & Collaboration Tools
Platform & Usage
Have you standardized on Microsoft Teams, Zoom, or Slack as your primary collaboration tool?




Is VoIP call quality monitored for jitter/latency/packet loss?




Are meeting recordings automatically transcribed and stored?




Do you enforce password protection for sensitive meetings?




Is background noise suppression enabled for call clarity?




Are guest access permissions properly restricted?




Have you configured auto-attendants for after-hours calls?




Is call forwarding/multi-device ringing optimized for remote work?




Are call analytics (duration, drop rates) reviewed monthly?




Do you use AI meeting assistants (e.g., Copilot, Otter.ai)?




Security & Compliance
Is end-to-end encryption enabled for sensitive calls?




Are unused user licenses deprovisioned promptly?




Is MFA (Multi-Factor Authentication) enforced for all users?




Are meeting lobby settings used to prevent "Zoom bombing"?




Do you comply with data residency requirements for call logs?




Are administrative roles (e.g., Teams admin) properly segregated?




Is conditional access configured for external joiners?




Are call detail records (CDRs) retained for compliance?




Have you tested disaster recovery for VoIP services?




Are third-party app integrations (e.g., Calendly) vetted for security?




User Adoption & Efficiency
Are employees trained on advanced features (polls, breakout rooms)?




Do you measure adoption rates per department?




Is there a naming convention for channels/meetings?




Are recurring meetings templatized for consistency?




Have you eliminated redundant tools (e.g., Slack + Teams)?




Is live captioning enabled for accessibility?




Are hardware peripherals (headsets, webcams) standardized?




Do you optimize bandwidth allocation for video calls?




Are usage policies (recording consent, chat etiquette) documented?




Have you benchmarked costs vs. ROI for premium features?




Call Center Tech
IVR & Call Routing
Is your IVR menu optimized for quick issue resolution?




Are call flows tested quarterly for usability?




Do you offer callback options to reduce hold times?




Is natural language processing (NLP) used for voice recognition?




Can callers authenticate via voice biometrics?




Are call routing rules based on agent skills/availability?




Is call deflection (to chatbots/self-service) implemented?




Do you track IVR containment rates (calls resolved without agents)?




Are holiday/after-hours messages updated promptly?




Is caller sentiment analysis used for prioritization?




Cloud Contact Centers (Five9, Genesys, NICE)
Are omnichannel interactions (voice, chat, email) unified?




Is real-time agent assist (AI prompts) enabled?




Do supervisors have live dashboards for queue monitoring?




Are call recordings used for quality assurance?




Is workforce management (WFM) software integrated?




Are customer journey analytics tracked across touchpoints?




Do you measure average handle time (AHT) vs. FCR?




Are outbound campaigns (sales, surveys) compliant with regulations?




Is CRM screen pop (automatic customer data display) configured?




Have you tested failover to backup call centers?




Performance & Optimization
Are abandoned call rates analyzed for root causes?




Is AI-powered coaching (e.g., NICE Enlighten) used?




Are agent desktop tools streamlined to reduce clicks?




Do you conduct silent monitoring for training?




Are customer satisfaction (CSAT) surveys automated post-call?




Is speech analytics mined for trends/complaints?




Are forecasting models used for staffing adjustments?




Have you implemented gamification for agent motivation?




Is self-service password reset integrated to reduce call volume?




Are KPIs (SLAs, NPS) tracked in real time?




5G & Mobile Solutions
Enterprise Mobility
Is EMM/UEM (Enterprise Mobility Management) deployed?




Are corporate devices (BYOD vs. COPE) policy-compliant?




Is remote wipe enabled for lost/stolen devices?




Are app permissions restricted on work profiles?




Is 5G/Wi-Fi 6 prioritization configured for critical apps?




Are geofencing alerts used for asset tracking?




Is mobile threat defense (MTD) software installed?




Are SMS-based MFA methods being phased out?




Is VoIP over 5G tested for call quality?




Are data usage policies enforced to prevent overages?




5G Business Applications
Have you piloted AR/VR over 5G (e.g., field service)?




Is edge computing used for low-latency mobile apps?




Are IoT devices connected via 5G for real-time data?




Do you use network slicing for QoS-critical operations?




Is private 5G being evaluated for campuses/warehouses?




Are 5G-enabled drones used for inspections/deliveries?




Have you tested 5G vs. Wi-Fi 6 for indoor coverage?




Are mobile app performance metrics (latency, uptime) monitored?




Is 5G security (SIM-based authentication) configured?




Have you quantified 5G ROI (productivity gains vs. costs)?




Operational Technology (OT) & Industry 4.0
Industrial IoT (IIoT) & Predictive Maintenance
Are IoT sensors deployed for equipment condition monitoring?




Is vibration/temperature/energy data analyzed in real time?




Do you use predictive maintenance alerts to reduce downtime?




Are failure thresholds dynamically adjusted via machine learning?




Is edge computing used to process sensor data locally?




Are wireless protocols (LoRaWAN, Zigbee) optimized for range/power?




Do equipment OEMs integrate with your IIoT platform?




Are maintenance logs correlated with sensor data for root-cause analysis?




Have you quantified ROI (downtime reduction, cost savings)?




Is 5G or Wi-Fi 6 used for high-bandwidth IIoT applications?




Are legacy machines retrofitted with smart sensors?




Do you track mean time between failures (MTBF) improvements?




Is energy consumption monitored at the machine level?




Are supply chain partners granted secure access to relevant IIoT data?




Have you tested AI-driven anomaly detection for unknown failure modes?




Smart Manufacturing & Robotics
Are autonomous mobile robots (AMRs) used for material handling?




Is collaborative robotics (cobots) deployed alongside workers?




Are production lines digitally twinned for simulation/optimization?




Do robots self-diagnose maintenance needs?




Is computer vision used for quality inspection?




Are adaptive control systems (self-adjusting parameters) implemented?




Do you use AR for equipment troubleshooting?




Is additive manufacturing (3D printing) integrated into production?




Are work instructions dynamically updated based on IoT data?




Have you implemented lights-out (fully automated) production?




Are operator wearables (smart glasses, exoskeletons) in use?




Is blockchain used for component provenance tracking?




Do autonomous forklifts/AGVs navigate your facilities?




Are production schedules optimized via AI?




Have you measured OEE (Overall Equipment Effectiveness) gains?




SCADA & ICS Security
Is your OT network air-gapped (or segmented) from IT systems?




Are default passwords changed on all ICS devices?




Is network traffic baselined for anomaly detection?




Are USB/media controls enforced to prevent malware?




Do you conduct OT-specific penetration tests?




Are firmware updates applied regularly to PLCs/RTUs?




Is role-based access control (RBAC) implemented for ICS?




Are backups tested for SCADA system recovery?




Have you identified single points of failure in control systems?




Are OT asset inventories automatically updated?




Is network monitoring (e.g., Nozomi, Claroty) deployed?




Are ransomware response plans tailored for OT environments?




Do you enforce physical security for critical ICS hardware?




Are remote access sessions (VPN, jump hosts) logged and limited?




Is NIST SP 800-82 or IEC 62443 compliance tracked?




Are supply chain risks (compromised vendor software) assessed?




Do you simulate ICS cyberattack scenarios (e.g., Stuxnet-type)?




Are whitelisting solutions (e.g., application control) in place?




Is security awareness training provided for OT staff?




Have you tested manual override capabilities during cyber incidents?




IT Service Management (ITSM) & Training
ITIL & ITSM Tools
Incident Management
Is there a centralized ticketing system (ServiceNow, Jira, Freshservice)?




Are incident priorities (P1-P4) clearly defined?




Are SLAs (response/resolution times) documented and tracked?




Do you have automated escalation paths for critical incidents?




Are major incident response plans tested annually?




Is root cause analysis (RCA) conducted for recurring issues?




Are incident trends analyzed monthly for proactive fixes?




Do you use AI-driven ticket categorization/routing?




Are incident communications (status pages, alerts) automated?




Is customer satisfaction (CSAT) measured post-resolution?




Problem Management
Is there a known error database (KEDB)?




Are problem tickets linked to related incidents?




Do you conduct weekly problem review meetings?




Are workarounds documented until permanent fixes are deployed?




Is trend analysis used to identify latent problems?




Change Management
Is there a change advisory board (CAB)?




Are change success rates tracked?




Are standard vs. emergency changes differentiated?




Is change impact assessment mandatory?




Are failed changes analyzed for process improvements?




Service Request & Catalog
Is there a self-service portal for common requests?




Are service catalog items standardized and automated?




Do you measure fulfillment time for service requests?




Are approval workflows configured for sensitive requests?




Is the catalog updated quarterly based on demand?




Asset & Configuration Management
Is there a CMDB (Configuration Management Database)?




Are asset lifecycle states (procurement to disposal) tracked?




Is license compliance monitored?




Are CI (Configuration Item) relationships mapped?




Are automated discovery tools used for asset tracking?




End-User Training
Cybersecurity Awareness
Is mandatory security training conducted annually?




Are phishing simulation tests run quarterly?




Do you track training completion rates by department?




Are password hygiene best practices taught?




Is remote work security (VPN, Wi-Fi risks) covered?




IT Tool Adoption
Are new hire IT onboarding sessions standardized?




Do you offer role-specific training (e.g., Excel for finance)?




Are quick-reference guides/videos available?




Is there a feedback loop to improve training content?




Are "lunch and learn" sessions offered for new features?




Change Management Training
Are end-users notified in advance of major IT changes?




Are training materials updated for system upgrades?




Do you measure user proficiency post-training?




Are change champions identified to assist peers?




Is resistance to change addressed proactively?




Performance Metrics
Do you track helpdesk ticket reduction post-training?




Are training ROI metrics (productivity gains) calculated?




Is continuous improvement part of the training strategy?




Are leaders held accountable for team adoption?




Is training aligned with business goals (e.g., digital transformation)?




Green IT & Sustainability
Energy Efficiency
Data Centers & Cloud
Are energy-efficient servers (low-power CPUs, SSDs) deployed?




Is virtualization/containerization used to reduce physical servers?




Are data center PUE (Power Usage Effectiveness) metrics tracked?




Have you migrated workloads to carbon-neutral cloud providers?




Is dynamic cooling (AI-based, liquid cooling) implemented?




End-User Devices
Are devices set to energy-saving modes (sleep, auto-shutdown)?




Is thin client/VDI used to reduce endpoint energy use?




Are renewable energy sources (solar/wind) powering offices?




Do you measure kWh consumption per employee/department?




Are energy-efficient monitors/peripherals mandated in procurement?




E-Waste & Circular Economy
Hardware Lifecycle
Is there a formal e-waste recycling program with certified vendors?




Are devices refurbished/reused internally before recycling?




Do you track asset lifespan to optimize replacement cycles?




Are leasing/takeback programs used with OEMs?




Is data sanitization performed before device disposal?




Sustainable Procurement
Are EPEAT/TCO-certified hardware prioritized?




Do you audit suppliers for ethical mining/recycling practices?




Is packaging waste minimized (bulk shipments, recyclable materials)?




Are cloud providers selected based on sustainability reports?




Is IT sustainability part of employee performance metrics?




Future Trends & Innovation
Quantum Computing
Have you assessed vulnerable encryption methods (RSA, ECC) in your systems?




Is post-quantum cryptography (PQC) migration planned (e.g., NIST-selected algorithms)?




Are quantum key distribution (QKD) pilots being explored for high-security networks?




Have you identified use cases for quantum advantage (optimization, drug discovery)?




Are IT teams trained on quantum computing business implications?




AI Ethics & Regulations
Bias & Fairness
Do you audit AI models for demographic bias (gender, race, age)?




Are diverse datasets used to train critical AI systems?




Is model explainability (XAI) required for high-stakes decisions?




Transparency & Compliance
Are AI decision logs maintained for regulatory audits?




Do you comply with regional AI laws (EU AI Act, US Executive Order)?




Is there an AI ethics review board?




Are synthetic data used to protect privacy in training?




Governance
Are AI impact assessments conducted pre-deployment?




Is human oversight mandated for sensitive AI outputs?




Do you disclose AI usage to customers (e.g., chatbots)?




Next-Gen Cybersecurity
Are AI-powered attacks (deepfake phishing, adversarial ML) monitored?




Is post-quantum crypto prioritized for TLS, VPNs, and PKI?




Have you tested zero-trust architectures against novel threats?




Are cyber-physical systems (IoT/OT) protected from AI-driven exploits?




Is there a threat intelligence team focused on emerging risks?