1.Is multi-factor authentication enforced on all production system logins?

2.Is every production code change peer-reviewed before it ships?

3.Have you tested a backup by actually restoring it in the last 12 months?

4.Do you have written infosec policies that are approved and acknowledged by staff?

5.Do you run access reviews at least quarterly with documented sign-off?

6.Do you keep a critical-vendor list and collect their SOC 2 reports?

7.Do you run security awareness training with completion records?

8.Do you have a documented annual risk assessment with leadership sign-off?