Skip to main content
Get Stuff Done
Sign inFree accountRetainer

Free resource

Security baseline checklist for small B2B teams

This page is a working checklist derived from our long-form article. It is not legal advice or a certification program (SOC 2, ISO 27001, HIPAA, and similar programs need qualified assessors and counsel). Use it to reduce common failures while you grow.

For narrative, examples, and the baseline vs. certification table, read the full post: A practical security baseline for small B2B teams. Pair with lightweight vendor security reviews when questionnaires show up.

Want help implementing this baseline?

This checklist is educational. If you need someone to own identity hygiene, vendor reviews, and the glue between tools—not just a PDF—book a call or start a scoped retainer conversation. Prefer to try the workspace first? Create a free account and run onboarding tasks with your team.

Book a discovery callDiscuss a retainerCreate free account

Identity

  • Company-owned SSO for core SaaS where available; joiners and leavers governed in one place.
  • Phishing-resistant MFA on email and cloud admin consoles—not SMS-only on critical surfaces.
  • Separate admin personas from day-to-day mailboxes where feasible; fewer humans with super-admin.
  • Break-glass recovery documented and tested (not improvised during an outage).

Devices and endpoints

  • Disk encryption, supported OS baseline, screen lock, and remote wipe on every laptop.
  • Inventory updates when someone buys a device retail and logs into company systems.
  • Production secrets not stored in local notes—use a secrets manager or vendor-native storage.

Backups and recovery

  • Named owner for what is backed up, retention, encryption at rest and in transit.
  • Quarterly restore tests for datasets that would stop revenue or break customer trust if lost.
  • Runbooks for accidental deletion, ransomware suspicion, and point-in-time restore requests.

Vendor access and third parties

  • Vendor register: what each tool touches (PII, financials, production), internal owner, renewal date.
  • Least privilege on integrations—OAuth scopes, service accounts, API keys reviewed when projects end.
  • SSO or MFA for vendors holding sensitive data; avoid shadow IT card subscriptions that bypass review.

Logging and incidents

  • Centralized authentication logs where feasible; alerts on impossible travel or new admin activity.
  • One-page incident checklist: who is on call, how to contain credential risk, where customer comms templates live.
  • Know who to call for forensics before you need them at 2 a.m. on a Sunday.

Track vendor tasks and delivery in one place

We use a free account strategy for this resource: no email gate—bookmark or print this page. When you want onboarding tasks, tickets, contracts, and webhooks in one workspace, create an account (no card required) and invite your team.

Create free accountWhat is included →