CPCSC Self-Assessment Prep Worksheet

Eight questions to run before you sign a CPCSC Level 1 self-attestation. Print this page or fill it in on screen. For each question, record where you stand today, what evidence backs it up, and any gap you still need to close.

This is a readiness checkpoint, not the final gate. Use it to identify and rank the gaps you need to close before any executive signature.

  1. 1. Have we mapped every system that stores, processes, or transmits Specified Information? Including remote work, mobile devices, backups, third-party SaaS, and shadow IT.

    Current state
    Evidence record
    Gap

  2. 2. Can we produce, within 30 minutes, current evidence for each of the 13 controls?

    Current state
    Evidence record
    Gap

  3. 3. Has every shared account been eliminated or formally documented as a managed service account?

    Current state
    Evidence record
    Gap

  4. 4. Is MFA enforced for privileged accounts on systems that store, process, or transmit Specified Information? Pilotcore recommends MFA for all in-scope standard accounts.

    Current state
    Evidence record
    Gap

  5. 5. Have we verified the compliance status of every subcontractor handling Specified Information?

    Current state
    Evidence record
    Gap

  6. 6. If qualified legal counsel is retained, has counsel completed a legal-risk review of the evidence package before executive signature? Optional internal/legal-risk review; not a CPCSC Level 1 condition.

    Current state
    Evidence record
    Gap

  7. 7. Do we have a written process for updating the attestation when our security posture changes?

    Current state
    Evidence record
    Gap

  8. 8. Which organisation-defined parameters have we set? Include inactive-account disablement period, MFA re-authentication triggers, review frequency, scan frequency, and who approves changes.

    Current state
    Evidence record
    Gap