Cybersecurity Self-Assessment

Why a Cybersecurity Self-Assessment

Every organization should understand its own security posture — not just when a customer asks, but as a standing practice. A structured self-assessment gives you a baseline, identifies gaps, and provides a roadmap for improvement.

The drivers vary: your cyber insurance underwriter is asking harder questions at renewal. A new enterprise customer requires evidence of your security program. Your board wants a briefing. Or you simply want to hold yourself accountable. All are valid. The assessment is worth doing regardless of who's asking.

We recommend completing this assessment once per year — and updating your answers whenever significant changes occur to your technology environment.

SOC 2 and ISO 27001: Excellent, But Not For Most

SOC 2 Type II and ISO 27001 are the gold standards of security assurance. SOC 2 involves an independent auditor examining your controls over a period of time (typically 6–12 months) and issuing a report that enterprise customers will accept in lieu of questionnaires. ISO 27001 is an international certification of your information security management system.

Both are genuinely excellent — and neither is appropriate for most organizations. The investment in time, process, and audit fees is significant. For companies at the scale where these credentials are required (typically enterprise B2B SaaS, healthcare, financial services), they're worth pursuing. For most SMBs, NIST CSF is a more practical starting point.

NIST Cybersecurity Framework

The National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) organizes security into five functions:

Identify — What assets, data, and systems exist? Who is responsible for security? What risks have been identified?

Protect — How are systems and data protected? MFA, encryption, access controls, patching, backups, training.

Detect — What monitoring is in place? How would you know if something went wrong?

Respond — What happens when an incident occurs? Is there a plan? Has it been tested?

Recover — How do you restore operations after an incident? What are your RTO and RPO targets?

These five functions cover the full lifecycle of security — prevention, detection, and response.

Our Free Assessment

We developed a structured self-assessment based on NIST CSF, adapted for the practical reality of small and mid-sized organizations. It covers all five NIST functions with 51 questions designed to be answerable by anyone familiar with your organization's technology environment.

It's free. No signup required. Take it at your own pace.

Download Cybersecurity Assessment (PDF)

We recommend completing it as honestly as you can — "I don't know" is a valid and useful answer. Then update your answers 1–2 times per year. Over time, you'll see your posture improve, and you'll have documentation of that progress.

If you need help interpreting the results, understanding what changes to prioritize, or turning the gaps into a remediation plan — that's exactly what RSystems does. Let's talk.