Complete Compliance System

The TryCSC SMB
Compliance Navigator

A complete cybersecurity compliance and risk management guide for US small and mid-sized businesses — mapped to NIST CSF 2.0.

5 Modules · NIST CSF 2.0 Mapped · Live Scoring · Instant PDF Export · No Consultant Required
Before You Begin
If you have completed the TryCSC 5-Minute Cyber Health Check, you already know where your gaps are. This guide is what you do about them.
1
How This Guide Is Structured

The Compliance Navigator is not a textbook. It is not a policy document written for lawyers. It is a working guide — built for the business owner, operations manager, or COO who needs to get their house in order without hiring a consultant, without building an IT team, and without spending the next six months trying to decode government frameworks written in language designed to confuse everyone except the people who wrote them.

By the time you work through this guide, you will have four things that most of your competitors do not:

Module 1 — Compliance Readiness Assessment

A structured self-assessment mapped to the NIST Cybersecurity Framework 2.0. Includes sector-specific overlays for healthcare, financial services, defence supply chain, and retail.

Module 2 — Cyber Risk Exposure Snapshot

A practical, jargon-free assessment of the five attack vectors most commonly exploited against small businesses. Produces a one-page snapshot you can act on immediately — and hand to your insurer as evidence of due diligence.

Module 3 — Supplier Risk Register

A structured framework for assessing every vendor, supplier, and software provider with access to your systems or data. Produces a ranked register that tells you who is a risk, who needs monitoring, and who needs to go.

Module 4 — Incident Response Playbook

A step-by-step guide for the first 72 hours following a cyber incident. Covers containment, legal notification obligations, template communications, and the documentation you will need for insurance claims and regulatory reporting.

Module 5 — Evidence Pack

A compliance documentation summary designed to be presented to your cyber insurer, enterprise clients, auditors, or regulatory bodies as evidence of your documented compliance programme.

2
A Note on the NIST Cybersecurity Framework

The NIST Cybersecurity Framework — published by the National Institute of Standards and Technology — is the closest thing the United States has to a universal cybersecurity standard for business. It is not mandatory for most small businesses today. But that is changing faster than most people realise.

Cyber insurers reference it when assessing risk. Enterprise procurement teams reference it when vetting suppliers. The SEC references it in disclosure guidance. State regulators reference it when assessing breach response adequacy.

Version 2.0, released in 2024 and updated in March 2026, organises cybersecurity activity into six core functions. This guide uses those six functions as its backbone throughout Module 1.

→ NIST Small Business Quick Start Guide (PDF)
Govern
Establish and monitor your cybersecurity risk management strategy, expectations, and policy.
Identify
Determine the current cybersecurity risk to the business — what you have and what you need to protect.
Protect
Use safeguards to prevent or reduce cybersecurity risks to your systems and data.
Detect
Find and analyse possible cybersecurity attacks and compromises before they cause serious harm.
Respond
Take action regarding a detected cybersecurity incident — contain, communicate, and document.
Recover
Restore assets and operations that were impacted by a cybersecurity incident.

Most small businesses have some activity in Protect and very little in the other five. That is exactly the gap this guide addresses.

Module 1 — Compliance Readiness Assessment
A structured self-assessment mapped to the NIST Cybersecurity Framework 2.0 — the standard used by the US government and adopted as the benchmark for cybersecurity maturity. Rate each statement from 1 (Not in place) to 3 (Fully in place and documented). Your score updates in real time.

→ NIST Small Business Quick Start Guide
1
Govern
Section 1.1 · Max 18 points
Does your business have clear ownership and documented policies for cybersecurity? Governance is not about technology — it is about accountability. Whether someone in your organisation is clearly responsible for cybersecurity decisions, and whether the rules your business operates by are written down somewhere that an auditor, insurer, or court could review.

G1 There is a named individual in our business who is responsible for cybersecurity decisions and oversight.

G2 Our business has a written information security policy that describes how we protect data and systems. Staff are aware it exists.

G3 Cybersecurity risks are reviewed and discussed at a leadership or management level at least once per year.

G4 We have a documented acceptable use policy that tells staff what they can and cannot do with business systems and data.

G5 Our business carries cyber liability insurance, and we understand what it covers — including its conditions and exclusions.

G6 We understand the specific regulatory requirements that apply to our business — for example HIPAA, CMMC, GLBA, PCI DSS, or state breach notification laws.

Section 1.1 Score
0 / 18
2
Identify
Section 1.2 · Max 18 points
Do you know what you are responsible for protecting? You cannot protect what you cannot see. Most small businesses have a far larger digital footprint than they realise — old software still running on forgotten servers, personal devices connected to the business network, cloud accounts set up by staff who have since left.

I1 We maintain an up-to-date inventory of all hardware used in the business, including laptops, desktops, mobile devices, servers, and network equipment.

I2 We maintain an up-to-date inventory of all software applications and cloud services used in the business.

I3 We know exactly where our sensitive business data is stored — including customer records, financial data, employee information, and intellectual property.

I4 We have identified which data and systems are most critical to our business operations — the things that, if lost or compromised, would cause the most serious harm.

I5 We have identified the external threats most likely to affect a business like ours — including phishing, ransomware, business email compromise, and supply chain attacks.

I6 We understand our legal and regulatory data protection obligations, including what personal data we hold, who it belongs to, and what we are required to do if it is compromised.

Section 1.2 Score
0 / 18
3
Protect
Section 1.3 · Max 30 points
Do you have controls in place to prevent unauthorised access? Strong protection is not about expensive technology. It is about consistent application of a relatively small number of well-established controls that, if properly implemented, eliminate the vast majority of attack vectors used against businesses your size.

P1 All staff use strong, unique passwords for every business system, supported by a business password manager.

P2 Multi-factor authentication is enabled on all critical systems and applications, including email, file storage, accounting software, and any systems accessible from outside the office.

P3 Staff only have access to the systems and data they need for their specific role. Administrator access is restricted to those who genuinely require it.

P4 All business devices run current, supported operating systems and receive automatic security updates.

P5 All business devices are protected by current endpoint security software.

P6 Our business network uses a firewall. Guest or personal devices are on a separate network from business systems.

P7 Our business email domain is protected against impersonation through correct configuration of SPF, DKIM, and DMARC records.

P8 Staff have received cybersecurity awareness training within the last 12 months, including how to identify phishing attempts and what to do if they suspect an incident.

P9 When staff leave the business, their access to all systems — including cloud applications and shared accounts — is revoked within 24 hours.

P10 Sensitive data — particularly customer records and financial information — is encrypted when stored and when transmitted.

Section 1.3 Score
0 / 30
4
Detect
Section 1.4 · Max 12 points
Would you know if something was going wrong right now? Detection is the most underinvested area in small business cybersecurity. Many businesses that experience a breach do not discover it for weeks or months. You do not need enterprise-grade monitoring tools — you need basic visibility and a culture where staff feel comfortable raising concerns quickly.

D1 We review user account activity periodically — including failed login attempts, unusual access times, and access from unexpected locations.

D2 Our email platform is configured to alert us to unusual activity, such as forwarding rules set up without our knowledge, logins from new devices, or mass email sends.

D3 Staff know how to report a suspected security incident and feel comfortable doing so without fear of blame.

D4 We have a basic process for reviewing security alerts from our endpoint protection, email platform, or network equipment.

Section 1.4 Score
0 / 12
5
Respond
Section 1.5 · Max 12 points
Do you have a plan for when something goes wrong? Not if — when. Businesses that survive incidents intact are not the ones with the best defences. They are the ones with a clear, practiced plan that kicks in the moment something goes wrong.

R1 We have a documented incident response plan that tells staff what to do, who to call, and what not to do in the event of a cyber incident.

R2 We know our legal obligations for reporting a breach — including timeframes, which regulators to notify, and what information must be provided.

R3 We have contact details readily available for our cyber insurer, legal counsel, and IT support — accessible even if our main systems are offline.

R4 We have template communications prepared for notifying customers, regulators, and our insurer in the event of a breach — so we are not writing them under pressure at the worst possible moment.

Section 1.5 Score
0 / 12
6
Recover
Section 1.6 · Max 12 points
Can your business get back on its feet after a disruption? Recovery is about resilience. The businesses that recover quickly and fully are those with clean, tested, offsite backups and a clear plan for operating in a degraded state while systems are restored.

RC1 All critical business data is backed up automatically and daily to a secure location that is separate from our live systems.

RC2 We have tested our backup restoration process within the last 12 months and confirmed that data can be successfully recovered.

RC3 We have a documented business continuity plan that describes how we would continue operating — even in a limited capacity — if our primary systems were unavailable for 24 to 72 hours.

RC4 After any security incident, we conduct a structured review to understand what happened, why it happened, and what we will change as a result.

Section 1.6 Score
0 / 12
Remediation Roadmap
Your 90-day action plan

Based on your scores above, use this section to build your 90-day action plan. Start with your Red functions. Move to Amber once Red items are addressed.

Priority 1 Red Functions — Address within 30 days
Priority 2 Amber Functions — Address within 60 days
Priority 3 Green Functions — Review and document within 90 days
Sector Overlay
Additional industry-specific requirements

Depending on your industry, you may have regulatory obligations that go beyond the NIST CSF baseline. Review the relevant section below and note any additional gaps identified.

Healthcare — HIPAA Security Rule

If your business works in the health sector or handles protected health information — including as a business associate of a covered entity — you are subject to the HIPAA Security Rule regardless of your size.

→ HIPAA Privacy & Security Guide

  • You must conduct and document a formal risk analysis covering all electronic protected health information.
  • You must have documented policies for access control, audit controls, integrity controls, and transmission security.
  • You must have a documented sanction policy for staff who violate security policies.
  • Breach notification to HHS and affected individuals is required within 60 days of discovery.
Defence Supply Chain — CMMC

If your business holds or processes Controlled Unclassified Information for the DoD, or if you are a subcontractor in a DoD supply chain, CMMC compliance is mandatory.

→ CMMC Level 1 Self-Assessment Guide  |  → Level 2 Guide

  • Level 1 requires 17 foundational practices from NIST SP 800-171. Annual self-assessment required.
  • Level 2 requires 110 practices. Triennial third-party assessment by a certified C3PAO required.
Financial Services — GLBA Safeguards Rule

If your business is a financial institution under GLBA — including accountants, mortgage brokers, insurance companies, and tax preparation firms — the updated Safeguards Rule requires a formal written information security programme.

  • You must designate a qualified individual to oversee your information security programme.
  • You must conduct a written risk assessment.
  • You must implement encryption, MFA, access controls, and penetration testing or vulnerability assessment.
  • You must oversee your service providers' security practices by contract.
Retail & E-Commerce — PCI DSS v4.0

If your business accepts, processes, stores, or transmits payment card data, PCI DSS compliance is required by your card processor regardless of transaction volume.

→ PCI DSS v4 Resource Hub

  • All cardholder data must be identified and its storage minimised. Data that does not need to be stored must be deleted.
  • Your card data environment must be segmented from the rest of your network.
  • Quarterly vulnerability scans and annual penetration testing are required for most merchants.
🚪 Staff Exit Security Checklist

Departing employees with active credentials are one of the most common and preventable security risks in small businesses. Complete this checklist for every staff departure — voluntary or otherwise. For involuntary departures, complete access revocation before or simultaneously with the conversation.

Departing Staff Member Details
Account & Credential Revocation
  • Email account disabled or access removed
  • Microsoft 365 / Google Workspace licence reassigned or removed
  • VPN and remote access revoked
  • Password manager access removed
  • Multi-factor authentication tokens deactivated
  • Any shared passwords the staff member knew have been changed
  • Cloud service accounts removed (e.g. AWS, Dropbox, Slack, accounting software)
  • CRM and customer data system access revoked
  • Social media account access removed (if applicable)
  • Any API keys or developer credentials revoked
Physical Security
  • Office keys or access cards returned
  • Company devices returned (laptop, phone, tablet, USB drives)
  • Returned devices wiped and re-imaged before reuse
  • Building alarm codes changed (if known by departing staff)
Data & Files
  • Company files transferred from personal devices to company storage
  • Work email forwarding disabled
  • Out-of-office message set and mailbox handed to manager
  • Company data confirmed removed from any personal cloud storage
Documentation
  • Exit interview completed
  • Confidentiality and NDA obligations confirmed in writing
  • This checklist signed off by manager or HR
🎣 Phishing Awareness — Staff Reference Guide

Phishing is the entry point for over 90% of successful cyberattacks against small businesses. This reference guide is designed to be printed and shared with all staff, and to form the basis of a 15-minute team security briefing.

Red Flags — Stop Before You Click
  • Urgency or threats — "Your account will be suspended in 24 hours" / "Immediate action required"
  • Unexpected requests — Asking for passwords, payment, gift cards, or wire transfers out of the blue
  • Sender address doesn't match — The display name looks right but the actual email address is wrong (hover to check)
  • Lookalike domains — paypa1.com, micros0ft.com, amazon-support.net — one character off from the real thing
  • Generic greetings — "Dear Customer" or "Dear User" instead of your actual name
  • Unexpected attachments — Especially .zip, .exe, .docm files from unknown senders
  • Links that don't match — Hover over any link before clicking — the URL shown at the bottom of your browser is the real destination
  • Too good to be true — Refunds, prize notifications, or unclaimed parcels you weren't expecting
What To Do — The Right Response
  • Don't click, reply, or forward — Even replying confirms your email address is active
  • Report it immediately using your internal process (see Module 4 — Suspicious Email Reporting)
  • Preserve the email — Don't delete it; it's evidence
  • When in doubt, verify separately — If the email claims to be from your bank or a supplier, call them directly using a number you already have, not one in the email
  • If you clicked something — Report it immediately, don't wait. Disconnect from the network if instructed. Early action limits damage significantly
Running a 15-Minute Team Briefing
  1. Share a real example — Find a recent phishing email from your own inbox (sanitised) or use a published example from consumer.ftc.gov
  2. Walk through the red flags — Use the list above. Ask staff to spot what's wrong
  3. Confirm the reporting process — Make sure everyone knows who to call and how
  4. Answer questions — Common one: "What if I accidentally clicked?" — Reassure staff that reporting quickly is always the right move, no blame
  5. Record attendance — Document who attended for your Evidence Pack (Module 5)
Training Log
  • Team phishing briefing completed — Date:
  • Suspicious email reporting process distributed to all staff
  • All staff know who to report suspicious emails to
  • Follow-up briefing scheduled — Date:
📄 Incident Notification Letter Templates

Pre-written notification letters for use immediately following a cyber incident. Prepare and customise these before you need them — writing communications under pressure during an active incident leads to costly mistakes. Have your legal counsel review before sending.

Customer Notification Letter
Notify affected customers of a data breach
Regulatory Notification Letter
Notify regulators and authorities of a reportable incident
Board & Leadership Briefing
Brief your leadership team on the incident and response
Questions answered 0 / 34
Module 1 Score
/ 102

Function Scores

Govern
Identify
Protect
Detect
Respond
Recover
RAG Status Guide
Red — Below 50% of max
Amber — 50–79% of max
Green — 80%+ of max
20–50 — High Risk
51–81 — Moderate Risk
82–102 — Good Standing
Module 2 — Cyber Risk Exposure Snapshot
Most cybersecurity frameworks tell you what controls you should have. This module tells you how exposed your business is across the five attack vectors responsible for the overwhelming majority of small business incidents — and gives you three things you can do immediately for each one, at zero cost, to reduce that exposure right now.
1
Password Hygiene & Access Control
Attack Vector 1
Why This Matters Credential-based attacks are responsible for more than 80% of data breaches. Attackers buy lists of compromised usernames and passwords from dark web marketplaces — often for less than a dollar per account — and run automated tools that test those credentials against thousands of business applications simultaneously.

V1.1 Have any of your staff email addresses appeared in a known data breach? Check using the free tool at haveibeenpwned.com.

V1.2 Does your business use shared passwords for any system — including Wi-Fi, accounting software, or any cloud application?

V1.3 Does your business have any systems that still use their original default passwords — including routers, printers, or network-attached storage devices?

V1.4 Are there any former staff members who may still have active credentials to any business system?

Three Free Actions You Can Take Today
  • Check all business email addresses at haveibeenpwned.com and immediately change any passwords associated with accounts that have appeared in a breach.
  • Enable multi-factor authentication on your email platform, accounting software, and cloud storage. For Microsoft 365 and Google Workspace this takes less than 15 minutes and is free.
  • Audit your active user accounts across your key systems. Remove or disable any accounts belonging to former staff or vendors who no longer work with you.
2
Unpatched Software & Firmware
Attack Vector 2
Why This Matters The US CISA publishes a list of Known Exploited Vulnerabilities — software flaws being actively used by attackers right now. The majority are vulnerabilities for which patches have been available for months or years. Attackers simply run automated scans looking for businesses still running the vulnerable version.

V2.1 Are all devices in your business running current, supported operating systems? Any device running Windows 10 after October 2025, or any unsupported Windows version, represents an unpatched attack surface.

V2.2 Are all software applications — including accounting software, CRM platforms, website plugins, and browser extensions — kept up to date?

V2.3 When did your IT support last review and update the firmware on your routers, firewalls, and network-attached devices?

V2.4 Does your business have a documented process for applying security patches within a defined timeframe after they are released?

Three Free Actions You Can Take Today
  • Enable automatic updates on all Windows and macOS devices in your business. Do this today for every device you can access.
  • Log into your business router and check whether a firmware update is available. Most small business routers have an auto-update option — enable it.
  • Check the CISA Known Exploited Vulnerabilities catalogue and search for the names of your key business software applications.
3
Email Security Configuration
Attack Vector 3
Why This Matters Business Email Compromise is one of the most financially damaging attack types affecting small businesses. If your email domain is not correctly configured, anyone can send an email that appears to come from your domain. The technical controls that prevent this are free, take less than an hour to implement, and are currently missing from the majority of small business email domains.

V3.1 Does your email domain have an SPF record correctly configured? SPF tells receiving mail servers which servers are authorised to send email on behalf of your domain.

V3.2 Does your email domain have a DKIM record configured? DKIM adds a digital signature to outgoing emails that allows receiving servers to verify they have not been tampered with.

V3.3 Does your email domain have a DMARC policy configured? DMARC tells receiving mail servers what to do with emails that fail SPF or DKIM checks — and sends you reports on who is sending email from your domain.

V3.4 Does your business have a rule that all payment or banking change requests received by email must be verbally verified before any action is taken?

Three Free Actions You Can Take Today
  • Use the free tool at mxtoolbox.com to check whether your domain has SPF, DKIM, and DMARC records configured.
  • Ask your IT support or domain provider to implement a DMARC policy at minimum enforcement level.
  • Implement a verbal verification rule for all payment and banking change requests today — this requires no technology, just a clear instruction to all staff.
4
Third-Party & Vendor Access
Attack Vector 4
Why This Matters Supply chain attacks have become one of the fastest-growing threat vectors in the world. When attackers compromise a widely-used software vendor or managed service provider, they gain access to every business that trusts that vendor — often without those businesses knowing anything is wrong for weeks or months.

V4.1 Do you know exactly which suppliers, vendors, and software providers currently have access to your systems, network, or data?

V4.2 Do your contracts with key suppliers include specific requirements around security standards and breach notification obligations?

V4.3 Do your suppliers use multi-factor authentication to access your systems?

V4.4 When a supplier relationship ends, is their access formally reviewed and revoked as part of your offboarding process?

Three Free Actions You Can Take Today
  • List every supplier or vendor that has any form of access to your systems, data, or network — including IT support firms, cloud storage providers, and anyone with remote access credentials.
  • Review the access level of your three highest-risk vendors. Ask whether they have more access than they need, and if so, reduce it.
  • Check whether any former suppliers still have active credentials or remote access to your systems and revoke it immediately.
5
Backup Integrity & Recovery
Attack Vector 5
Why This Matters The final layer of protection against ransomware is the quality of your backups. Not whether backups exist — whether they are genuinely recoverable, genuinely isolated from live systems, and genuinely tested. A backup that has never been restored is not a backup. It is a hope. Ransomware operators now routinely target backup systems before deploying their encryption payload.

V5.1 Are your backups stored in a location that is completely separate from your live systems — meaning that an attacker who encrypts your live environment cannot also access and encrypt your backups?

V5.2 When did you last successfully restore data from your backup? Not run a backup — restore from it.

V5.3 If your primary business systems were completely unavailable tomorrow morning, how long would it take you to restore operations? Do you know?

V5.4 Does your backup system generate alerts or notifications if a backup fails or is not completed?

Three Free Actions You Can Take Today
  • Verify today that your most recent backup actually completed successfully. Log into your backup system and confirm the last successful backup date and the data it captured.
  • If your backups are stored on a drive connected permanently to your business network, move to an isolated backup solution — cloud backup or a drive physically disconnected between backup runs.
  • Schedule a backup restoration test in the next 30 days. Choose a non-critical file or folder, restore it from your backup, confirm it is complete and usable, and record the date and result.
Exposure Snapshot Summary
Attack VectorExposure Level
Passwords & Access ControlNot assessed
Software & Firmware PatchingNot assessed
Email Security ConfigurationNot assessed
Third-Party & Vendor AccessNot assessed
Backup Integrity & RecoveryNot assessed
Overall Exposure
Not assessed

Vector Summary

Passwords
Software
Email
Vendors
Backups
Exposure Guide
Low — Controls in place
Medium — Gaps present
High — Significant exposure
Module 3 — Supplier Risk Register
Supply chain attacks are no longer a theoretical risk for small businesses. This module gives you a structured framework for assessing every key supplier and producing a ranked register that tells you who is acceptable, who needs monitoring, who needs remediation, and who needs to be replaced. Rate each criterion from 0 (Not in place / unknown) to 2 (Fully in place and documented).
Supplier Risk Register Summary
Supplier NameCategoryScoreStatusAction RequiredReview Date
No suppliers added yet. Click "Add Supplier" above.
Supplier Risk Categorisation
20–24 — Acceptable. Meets a strong standard. Maintain with standard annual review.
14–19 — Monitor. Meaningful gaps in one or more criteria. Request improvements and schedule a follow-up review within six months.
8–13 — Remediate. Significant gaps representing material risk. Formal remediation actions should be agreed in writing within 30 days.
0–7 — Replace. Security posture is inadequate for the level of access. Begin identifying an alternative supplier.
Suppliers Assessed
0
Scoring Guide
0 — Not in place / unknown
1 — Partially in place
2 — Fully in place & documented
20–24 — Acceptable
14–19 — Monitor
8–13 — Remediate
0–7 — Replace
Module 4 — Incident Response Playbook
This playbook walks you through the critical actions for the first 72 hours following a cyber incident. Read it before you need it. Print it and store a physical copy somewhere accessible offline — because if you need this playbook in an emergency, the systems you would normally use to find it may be the ones that are down.
PREPARE Before an Incident — Complete These Actions Now
Emergency Contact Card
Fill this in and keep a physical copy offsite and with key staff. These details must be accessible even if your primary systems are offline.
FBI Cyber Division: 0800-CALL-FBI (0800-2255-324) or ic3.gov  |  CISA: cisa.gov/report or 1-888-282-0870
Offline Documentation Checklist
Ensure these are accessible even if your systems are unavailable.
  • Physical or offline copy of this playbook — Stored at:
  • Physical copy of emergency contact card — Stored at:
  • Offline copy of critical system access credentials — Stored at:
  • Physical or offline copy of your cyber insurance policy — Stored at:
Suspicious Email Reporting Process
Define and document your internal process for reporting suspicious emails before an incident occurs. Share this with all staff and post a printed copy near workstations.
Staff Procedure — What To Do When You Receive a Suspicious Email
  • Stop. Do not click any links, open any attachments, reply, or forward the email.
  • Check the sender address. Hover over the name to reveal the full email address. Look for lookalike domains (e.g. paypa1.com, micros0ft.com).
  • Look for red flags. Urgency, threats, unexpected requests for payment or credentials, generic greetings, or unexpected attachments.
  • Do not delete the email. Preserve it — it is evidence.
  • Report immediately using the reporting method above. Include the time received and a description of why it looks suspicious.
  • If you clicked a link or opened an attachment: stop what you are doing, disconnect from the network if instructed, and report immediately. Do not wait to see if anything happens.
PHASE 1 Hours 0–6: Contain, Preserve & Communicate Internally
Step 1 — Stay Calm and Call for Help
The worst thing you can do in the first minutes of a cyber incident is panic and start clicking. Call your IT support immediately. If you do not have IT support, call your cyber insurer's incident hotline — most cyber insurance policies include 24/7 incident response support.
Do not attempt to investigate or remediate the incident yourself unless instructed to by your IT support. Well-intentioned actions — deleting files, running antivirus scans, shutting down servers — can destroy evidence and make recovery harder.
Step 2 — Isolate Affected Systems
Disconnect affected devices from the network immediately — but do not turn them off unless instructed to by your IT support. Disconnecting from the network stops the spread of malware and prevents further data exfiltration. Turning devices off may destroy volatile memory evidence critical for understanding what happened.
Step 3 — Preserve Evidence
Do not delete anything. Do not run cleanup tools. Do not allow anyone to wipe or reimage affected devices until your IT support or insurer's forensics team has assessed them. Evidence preservation is a requirement for most cyber insurance claims and for any subsequent law enforcement investigation.
  • Evidence preservation log started
  • Screenshots taken of anything unusual on affected screens
  • Physical notes started (time, date, nature of everything observed)
Step 4 — Implement Communications Lockdown
Until you understand what has happened, do not communicate about the incident on any potentially affected system. Do not send emails from a compromised account. Do not post on social media. Do not tell customers or suppliers anything until you have assessed the situation and consulted your legal counsel and insurer.
Step 5 — Identify the Scope
Work with your IT support to understand what systems, data, and accounts have been affected.
PHASE 2 Hours 6–72: Assessment & Notification Obligations
US Federal Notification Obligations
CIRCIA — Critical Infrastructure

Report significant cyber incidents to CISA within 72 hours. Report ransom payments within 24 hours.

HIPAA Breach Notification

Notify affected individuals and HHS within 60 days of discovering a breach of unsecured PHI. If more than 500 individuals in a state are affected, notify prominent media outlets in that state.

State Breach Notification Laws

All 50 states have breach notification laws. You must comply with the law of every state in which affected individuals reside — not just the state where your business is located.

California — Notify without unreasonable delay (72 hrs best practice).
New York (SHIELD Act) — Notify ASAP; AG notification if 500+ NY residents affected.
Texas — Notify within 60 days if 250+ TX residents affected; AG notification required.
Florida — Notify within 30 days to individuals and FL Dept of Legal Affairs if 500+ FL residents affected.
CIRCIA — Critical Infrastructure

Operators of critical infrastructure sectors must report significant cyber incidents to CISA within 72 hours. Ransom payments must be reported within 24 hours.

SEC Disclosure Rule

Publicly listed companies must disclose material cyber incidents on Form 8-K within 4 business days of determining materiality.

Customer Notification Template
Use this as the basis for notifying affected customers. Have your legal counsel review it before sending.

Customer Notification Letter

Regulatory Notification Template

Regulatory Notification Letter

Law Enforcement Reporting
Reporting a cyber incident to law enforcement is not mandatory in most circumstances but is strongly recommended, particularly for ransomware incidents, business email compromise resulting in financial loss, and incidents involving theft of sensitive customer data.
FBI Cyber Division — IC3: ic3.gov — Primary federal law enforcement reporting mechanism.
CISA: cisa.gov/report or 1-888-282-0870 — Voluntary reports help build national threat intelligence.
PHASE 3 Days 3–30: Recovery, Documentation & Lessons Learned
Incident Timeline
Document every significant event in chronological order, from the first sign of unusual activity through to full system restoration.
Date / TimeEvent DescriptionAction TakenOwner
Financial Loss Documentation
Root Cause Analysis
Board & Leadership Communication Template
Use this template to brief your board or leadership team. Keep it factual, concise, and confidential. Prepare it as soon as the immediate crisis is contained.

Incident Summary for Leadership Review — Confidential

30-Day Remediation Planning Worksheet
Based on the root cause analysis and lessons learned, document the specific security improvements to be implemented within the next 30 days.
Improvement 1
Improvement 2
Improvement 3
Playbook Progress
0%
Complete all checklist items and fill in all fields as you work through an incident.
Phase Summary
PREPARE — Fill in contacts & offline docs before any incident
PHASE 1 — Hours 0–6: Contain & preserve
PHASE 2 — Hours 6–72: Notify & report
PHASE 3 — Days 3–30: Recover & learn
Key Deadlines
24 hrs — CIRCIA ransom payment report
72 hrs — CIRCIA incident report
4 days — SEC Form 8-K (if applicable)
30 days — Florida state notification
60 days — HIPAA / Texas notification
ASAP — CA, NY notification (no max)
Module 5 — Evidence Pack: Compliance Documentation Summary
This section is designed to be completed and provided to your cyber insurer, enterprise clients, auditors, or regulatory bodies as evidence of your documented compliance programme. Complete Modules 1–4 first, then use this section to produce your summary document.
A
Business Details
B
Compliance Assessment Summary
C
Key Controls in Place

The following controls have been implemented and are actively maintained by this business. Select the current status of each control.

Multi-factor authentication on all critical systems
Business password manager deployed
All devices run supported, patched operating systems
Endpoint protection deployed on all devices
Email domain protected with SPF, DKIM, and DMARC
Critical data backed up daily to isolated location
Backup restoration tested within last 12 months
Supplier Risk Register maintained and current
Incident Response Playbook documented and accessible
Staff received security awareness training (last 12 months)
D
Known Gaps & Remediation Plan
E
Declaration
📅 Annual Review Reminder This assessment should be reviewed annually or following any significant change to your business, systems, or suppliers. Regulations covered in this document — including CIRCIA, HIPAA notification rules, and state breach notification laws — are subject to amendment. Set a calendar reminder for 12 months from the date signed above to refresh and re-certify this document.

This document represents an accurate summary of the cybersecurity compliance programme maintained by this business as of the date stated above. It has been prepared in good faith and reflects the genuine security posture of the organisation to the best of the undersigned's knowledge.

This document is for self-assessment and planning purposes only. It does not constitute legal, regulatory, or professional cybersecurity advice. For advice specific to your circumstances, consult a qualified legal or cybersecurity professional.

+
Appendix of Supplementary Documents

The following supplementary documents should be attached to this Evidence Pack where available. Their existence and currency demonstrates a mature, documented compliance programme to insurers, clients, and regulators.

  • Written Information Security Policy (WISP)
  • Acceptable Use Policy
  • Hardware and software asset inventory
  • Completed Supplier Risk Register (Module 3)
  • Incident Response Playbook (Module 4)
  • Most recent backup restoration test record
  • Staff cybersecurity awareness training records
  • Cyber insurance policy schedule
  • Any sector-specific compliance documentation (HIPAA risk analysis, CMMC self-assessment, etc.)

© TryCSC 2026 — Cybersecurity Compliance for US Small Business — trycsc.com
Confidential — Licensed for single business use only. Unauthorised reproduction or distribution is prohibited.

Module 1 Score
/ 102

NIST Function Scores

Govern
Identify
Protect
Detect
Respond
Recover
Purpose of this Document
This Evidence Pack can be presented to:

Cyber insurers — as evidence of due diligence

Enterprise clients — as part of vendor security questionnaires

Regulators — as documentation of your compliance programme

Internal leadership — as a board-level security briefing