• the trust birdge - Solutions and advice you can trust in a data-enabled world

  • Unified Compliance Readiness Scorecard

  • GDPR (10 Questions)

  • Do you maintain an up-to-date RoPA (Records of Processing Activities)?
  • Have you conducted DPIAs where required in the last 12 months?
  • Do you have a clear, documented legal basis for all data processing activities?
  • Are data subject rights (DSARs, deletion, access) handled within statutory timeframes?
  • Is your privacy notice GDPR-compliant and accessible?
  • Do you maintain valid processor agreements (Article 28) with all third-party vendors?
  • Are cross-border transfers compliant with UK/EU SCCs or equivalents?
  • Have you appointed a DPO or fulfilled Article 37 exemptions?
  • Do staff receive annual GDPR and privacy training?
  • Have you tested your breach notification process?

  • ISO 27001 (10 Questions)

  • Do you maintain a documented and regularly updated risk register?
  • Is your Statement of Applicability (SoA) complete and aligned with implemented controls?
  • Do you have documented security policies reviewed annually?
  • Have you conducted an internal audit within the past year?
  • Is management review conducted and documented?
  • Do you perform regular access reviews (user privileges, role changes)?
  • Are backup and restoration procedures tested at least annually?
  • Are mobile devices and remote access governed by policy?
  • Do you assess information security risks during supplier onboarding?
  • Is corrective action tracked and logged for all nonconformities?

  • DORA (5 Questions)

  • Do you have a tested incident response plan aligned with DORA timelines?
  • Are critical ICT third-party providers identified and governed by contracts?
  • Have you completed threat-led penetration testing (TLPT) or equivalent?
  • Do you report significant ICT-related incidents to the relevant authority?
  • Are operational resilience roles/responsibilities clearly assigned?

  • NIS2 (5 Questions)

  • Have you performed a NIS2 gap assessment for your sector classification?
  • Do you have a cyber risk management plan aligned to NIS2’s minimum measures?
  • Are security incident procedures tested and documented?
  • Do you monitor third-party and supply chain vulnerabilities?
  • Are you prepared to comply with reporting timelines (24 hours initial, 72 hours full)?

  • ISO/IEC 42001 – AI Governance (5 Questions)

  • Have you identified all AI/automated decision-making systems used in your organisation?
  • Have risks associated with those systems been assessed and documented?
  • Is there an AI-specific policy that governs fairness, transparency, and explainability?
  • Do you conduct AI impact assessments (AIIAs) for high-risk systems?
  • Are AI stakeholders trained on ethical, legal, and operational risks?
  • Format: (000) 000-0000.
  • Should be Empty: