Ransomware Readiness: The 20-Question Assessment Every CISO Should Run
Jeff Sowell · 2026-04-12 · Risk Management
Ransomware readiness assessment with 20 critical questions mapped to CIS Controls. Evaluate your prevention, detection, response, and recovery posture before attackers do.
Why a Structured Ransomware Assessment Matters
Ransomware is not a new threat. What is new is how systematically attackers exploit gaps that organizations never bothered to measure. Most companies assume they are prepared because they have backups and antivirus. That assumption is how breaches happen.
A structured assessment forces you to evaluate your posture across the entire attack lifecycle — not just whether you can restore files, but whether you can prevent initial access, detect lateral movement, contain the blast radius, and recover operations under pressure. Without a structured approach, you end up with blind spots in exactly the places ransomware operators target.
The 20 questions below are organized into four phases: Prevent, Detect, Respond, and Recover. Each question maps to one or more CIS Controls so you can trace your readiness back to an established framework. If you already maintain a risk register, these questions will help you identify which risks need updated scoring or new mitigation tasks.
How This Assessment Is Organized
Each question includes context explaining why it matters and a CIS Control mapping so you can connect your answers to framework requirements. Answer each question honestly: Yes (fully implemented), Partial (started but incomplete), or No (not implemented). Partial answers count — they show you where to focus next.
This assessment pairs well with automated evidence collection because many of these controls generate artifacts that serve double duty for compliance audits.
Phase 1: Prevent (Questions 1-10)
Prevention is about reducing the attack surface before ransomware gets a foothold. These 10 questions cover the controls that stop most commodity ransomware campaigns.
Question 1: Do you maintain a current inventory of all hardware and software assets?
You cannot protect what you do not know exists. Shadow IT, unmanaged endpoints, and forgotten cloud instances are the entry points ransomware operators love. Asset inventory is the foundation of every other control on this list.
CIS Control mapping: CIS 1 (Inventory and Control of Enterprise Assets), CIS 2 (Inventory and Control of Software Assets)
Question 2: Are all operating systems and third-party applications patched within a defined SLA?
Unpatched vulnerabilities remain the most common initial access vector for ransomware. Your patch SLA should define timeframes based on severity — critical vulnerabilities patched within 72 hours, high within two weeks, and so on.
CIS Control mapping: CIS 7 (Continuous Vulnerability Management)
Question 3: Is multi-factor authentication enforced on all remote access, email, and privileged accounts?
MFA defeats the majority of credential-based attacks. If your VPN, email, cloud admin consoles, or RDP sessions allow single-factor authentication, you have an open door.
CIS Control mapping: CIS 6 (Access Control Management)
Question 4: Do you enforce the principle of least privilege across all user account