IT KORR Knowledge Center
Compliance Readiness Checklist
A cross-framework checklist covering the core governance and compliance controls most audits and frameworks expect to see in place.
Policy & Documentation
- Written information security policy exists, is dated, and has a named owner.
- Acceptable use, data classification, and access control policies are documented and distributed to staff.
- Policies are reviewed and re-approved at least annually, with version history retained.
- An asset inventory (hardware, software, and data) is maintained and kept current.
Access Governance & Encryption
- Access to systems and data is granted on a least-privilege, role-based basis.
- User access is reviewed on a regular cadence, with offboarding tied to HR processes.
- Multi-factor authentication is enforced for all users, especially privileged and remote access.
- Sensitive data is encrypted at rest and in transit using current, approved standards.
Backup, Incident Response & Vendor Management
- Backups are performed on a defined schedule, encrypted, and periodically test-restored.
- A written incident response plan exists and has been tabletop-tested within the last 12 months.
- Critical vendors and subprocessors are inventoried, with due diligence performed before onboarding.
- Vendor contracts include appropriate data protection and breach notification terms.
Audit Logging & Training
- Audit logging is enabled on systems handling sensitive or regulated data, with logs retained per policy.
- Logs are reviewed or monitored for anomalous activity on a defined cadence.
- Security awareness training is delivered to all staff at onboarding and at least annually thereafter.
- Training completion is tracked and documented as evidence.
Related Resources
- Compliance Fundamentals — /knowledge-center/compliance/compliance-governance/compliance-fundamentals
- Governance vs. Compliance — /knowledge-center/compliance/compliance-governance/governance-vs-compliance