Skip to Content
TS-RDC-05 Trust & Stewardship Risk, Data & Compliance CORE Compliance v2.9.7

Cyber-security baseline (NCSC Cyber Essentials – UK)

Assesses the implementation of foundational cyber security controls, fulfilling the Amānah (trust) to safeguard stakeholder data. This protects against common threats, ensures operational continuity, and upholds the principles of Ḥifẓ al-Māl (protection of wealth) and Ḥifẓ al-ʿIrd (protection of dignity/reputation). It operationalizes GDPR/DPA 2018 integrity and confidentiality duties (Art. 5(1)(f), Art. 32), prevents ḍarar (harm), and enables trustee oversight of material internal controls.

Assessment Questions
  1. How does the organization define and manage its internet boundary (firewalls) and asset inventory?
  2. What is the process for ensuring secure configuration and timely patching (within 14 days for high risk)?
  3. How are user accounts managed, and is MFA enforced for all admin and remote access?
  4. What is the backup strategy (3-2-1), and are restores tested quarterly?
  5. How does the organization assess and manage the security of its suppliers and cloud services?
  6. Describe the incident response process and how the decision to report to the ICO is made.
  7. How is device encryption and MDM compliance enforced for portable/BYOD devices?
Evidence Requirements
  • Cyber Essentials certificate (current).
  • MFA coverage report (from IdP/Admin console) showing >95% compliance.
  • Patch compliance report and exception register.
  • Backup logs and evidence of quarterly restore tests.
  • Incident Response playbook and record of last test/exercise.
  • Supplier due diligence packs and contract clauses (GDPR Art 28).
  • BitLocker/FileVault compliance report and MDM policy.
  • Quarterly cyber risk report to trustees.
Scoring Guidelines
LevelRatingDescription
5 5/5 Cyber Essentials Plus certified AND Excellence practices (vuln scanning, tabletop, DMARC) evidenced.
4 4/5 Cyber Essentials certified AND Mizan Baseline Extensions fully operational (MFA ≥95%, Patching ≥95%, quarterly restore tests passed).
3 3/5 Cyber Essentials self-assessment passed and documented; basic controls in place.
2 2/5 Cyber security plan in progress with some key controls in place.
1 1/5 No structured cyber security effort or controls.

Related Criteria

TS-RDC-01 Multi‑scenario financial stress‑testing documented TS-RDC-02 Complaints & whistle-blowing mechanism TS-RDC-03 Due-diligence on delivery partners TS-RDC-04 Serious-incident reporting & escalation TS-RDC-06 GDPR accountability & DPIA log
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 11:07:51.415252

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json

Sign in to post a comment.

Back to Criteria