Security categories

What to ask

Ask your IT provider or Microsoft partner: Is MFA enforced via Conditional Access or Security Defaults? Are all admin accounts covered? Are there legacy authentication protocols still enabled?

Gather before deciding

Confirm which email and cloud platform you use. List admin accounts. Check whether any shared accounts bypass MFA.

What to ask

Ask your IT provider: What email security is included in your current plan? Is anti-impersonation protection configured? Are Safe Links and Safe Attachments enabled?

Gather before deciding

Confirm your email platform (Microsoft 365 or Google Workspace). Review what security features are already included in your current subscription tier.

What to ask

Ask providers: Is this endpoint detection and response (EDR) or basic antivirus? What is the management overhead? Is there a 24/7 alert response option?

Gather before deciding

Count managed devices by type (Windows, Mac, servers). Confirm whether your Microsoft 365 plan includes Defender for Business. List any devices not currently managed.

What to ask

Ask providers: How often are backups tested? What is the recovery time estimate? Are Microsoft 365 mailboxes and files backed up separately from local systems?

Gather before deciding

Identify critical data: files, databases, email, financial records. Estimate how much data loss your business could tolerate. Confirm whether Microsoft 365 data is currently backed up.

What to ask

Ask providers: How do you handle shared vaults and offboarding? What MFA options are supported? What is the per-user cost for teams under 50?

Gather before deciding

Count the number of team members who need access. List the shared accounts and credentials currently stored in email, spreadsheets, or browser saves.

What to ask

Ask providers: Does this apply to remote workers as well as office users? How are policies managed? Is there logging and alerting on blocked attempts?

Gather before deciding

Confirm your current DNS resolver. List the number of devices and remote workers that need coverage.

What to ask

Ask providers: Does the platform include phishing simulations and automated training? How is employee completion tracked? Is there a minimum seat count?

Gather before deciding

Count the number of employees who need training. Confirm whether any training has been done previously and what the last phishing simulation showed.

What to ask

Ask providers: What assets are in scope? Is written authorization required before scanning begins? What does the findings report include and how are results prioritized?

Gather before deciding

List all public-facing domains, websites, subdomains, public IP addresses, and cloud-hosted services. Confirm who owns or controls each asset and who has authority to authorize scanning.

What to ask

Ask providers: What platforms does this integrate with? How does offboarding work? What is the per-user cost?

Gather before deciding

List your business applications. Identify how users are currently provisioned and deprovisioned. Check whether shared accounts are in use.

What to ask

Ask providers: Is this a managed service or a platform you configure yourself? What alerts are included by default? What is the response process when something is flagged?

Gather before deciding

Assess whether your team has the capacity to review alerts internally. Determine whether managed detection and response (MDR) is more appropriate than a self-managed SIEM.