IT security checklist for the IT lead

IT security checklist for the IT lead

Starting point based on ISO/IEC 27001 and the Dutch AVG (GDPR).


The Basics Rocket

Handle these first for a solid security foundation:
Create a clear overview of team members,  roles and accountabilities  within your organization (single source of truth).
Enable MFA everywhere. Enforce this where possible via software settings for all team members (e.g. in Google Workspace and Slack this is possible).
Introduce a password manager (e.g. Proton Pass) (see:  How to: passwords, passkeys & MFA 🔑 ).
If devices are managed by the organisation: enable/enforce all steps from  How to: devices 💻📱 .
Apply the principle of least privilege to your document management (e.g. Google Drive): do colleagues only have access to information they need for their work? Is there sensitive data on the shared drive?
Draw up an  Information Security Policy for employees  and have all employees sign it.
Organize periodic employee training for awareness (e.g. an annual phishing test and security quiz).


1. Policy & Documentation Page Facing Up

Draw up an information security policy required
  • Describe goals, responsibilities and approach, and what you consider acceptable use of company assets. Have all employees sign it.
Draw up loan agreements required
  • For company laptops and office tags/keys for example. Have all employees sign it.
Have non-disclosure agreements (NDAs) signed required
  • By employees and external contractors.
Document a data breach procedure required
  • Who does what in the event of an incident? GDPR reporting obligation = 72 hours to the supervisory authority.
Maintain a processing register recommended
  • GDPR obligation: keep track of which personal data you process and why.


2. Access & Identity Locked with Key

Enforce a strong password policy required
  • Minimum 14 characters, no reuse. Use a password manager (e.g. Proton Pass). Always have new passwords generated by the password manager.
Enable multi-factor authentication (MFA) everywhere required
  • Plus set up a check (e.g. twice a year) to spot-check whether employees have MFA enabled on all tools where you cannot enforce it automatically.
Apply the principle of least privilege required
  • Give employees access only to what they need for their work.
Onboarding and offboarding required
  • Ensure that employees are granted or revoked access to the appropriate software and roles/permissions when joining or leaving.
Avoid shared/generic accounts Maintain a processing register recommended
  • Each employee gets their own account for traceability.


3. Devices & Endpoints Laptop

Enable disk encryption on all devices required
  • BitLocker (Windows) or FileVault (Mac) on laptops and workstations.
Enable automatic updates required
  • Keep OS, browsers and critical software always up to date.
Install antivirus/EDR software required
  • On all company devices. E.g. Microsoft Defender, Malwarebytes.
Set screen lock after inactivity recommended
  • Maximum 5 minutes, requires password or biometrics.
Establish a BYOD policy (personal devices) recommended
  • Rules for when employees use their own devices for work (e.g. their phone).


4. Cloud & Software Cloud

Maintain an inventory of all software and services in use required
  • Know which SaaS tools are in use (prevent shadow IT). E.g. in an authorization matrix.
Enter into data processing agreements with cloud providers required
  • GDPR requirement when they process personal data on your behalf.
Set up and test regular backups required
  • 3-2-1 rule: 3 copies, 2 media types, 1 offsite/cloud. Test recovery periodically and consult critical suppliers if needed.
Secure configuration of cloud environments recommended
  • Use security benchmarks (e.g. CIS) for Microsoft 365, Google Workspace.
No sensitive data in personal cloud services recommended
  • No company data in personal Dropbox, personal mailbox, etc.


5. Network Globe with Meridians

Separate business Wi-Fi from guest Wi-Fi required
  • Separate Wi-Fi for visitors without access to internal systems.
Firewall active on router and devices required
  • Both at network level and at endpoint level.
Change the default router password required
  • Replace factory settings immediately, keep firmware up to date.
Use a VPN for remote work recommended
  • Mandatory when using public networks.


6. People & Awareness Busts in Silhouette

Clear reporting point for security incidents required
  • Everyone knows who to report suspicious situations to.
Provide security awareness training upon joining required
  • Minimum: recognizing phishing, passwords, reporting procedure.
Conduct phishing simulations recommended
  • Periodically test employees with simulated phishing emails.
Schedule annual refresher training recommended
  • Keep security awareness alive with current examples of threats and best practices.


7. Monitoring & Auditing Magnifying Glass Tilted Left

Enable logging for critical systems recommended
  • Who logged in when? Changes to sensitive files.
Conduct an annual internal security review recommended
  • Go through the checklist, update policies where necessary.
Periodically assess suppliers optional
  • Check security certifications of critical suppliers.
Have a vulnerability scan or penetration test carried out optional
  • Have external testing done once customer data or critical systems are involved. Recommended if you deliver digital services to customers or process sensitive personal data at scale.