A Yearly Resilience MOT for Your Whole Business: Tech, People, Processes, and Suppliers.

Every vehicle on Irish roads requires an annual roadworthiness test. The MOT is not a guarantee that the vehicle will never break down. It is a structured check that the most critical systems are functioning as they should — and that problems that have developed gradually, unnoticed, are identified before they cause a failure on a busy road.

A business resilience MOT is the same concept applied to your IT, your people, your processes, and your supplier relationships. Things change over the course of a year — staff join and leave, systems are added, suppliers are engaged, processes evolve — and the security and resilience posture that was appropriate at the start of the year may no longer be appropriate at the end of it.

An annual review, structured around the checklist below, takes half a day of management time and one to two hours of IT provider time. The return on that investment is a current, accurate picture of your resilience posture and an action list for the year ahead.

The Technology Checklist

Patch status. Are all operating systems, applications, and firmware on current supported versions? Are there any devices running software approaching end of support in the next 12 months?

MFA coverage. Is MFA enabled on all accounts — email, remote access, cloud services, financial platforms? Have any accounts been added in the past year without MFA being configured?

Backup health. When was a restore test last completed? Is at least one backup copy stored in an immutable or offline location? What is the current recovery time objective, and is it acceptable?

Endpoint protection. Is managed endpoint protection installed on every device with access to business systems, including devices used by remote workers?

Conditional Access. If the business uses Microsoft 365 or Google Workspace, are Conditional Access policies in place to block access from unrecognised devices or unexpected locations?

External attack surface. What services are currently accessible from the internet? Has anything been opened since the last review? Is every internet-facing service protected by MFA?

Could your IT provider produce answers to all of the above questions today, with evidence? If not, that gap is the starting point for your technology checklist. Book a free 20-minute strategy call — we run structured annual reviews for Irish SMEs that produce the checklist output above.

The People Checklist

Joiners and leavers. Have all accounts for staff who left in the past year been fully disabled and access revoked across all systems? Have all new staff received security awareness briefing? Have their accounts been created with appropriate access levels — not more than required for their role?

Access review. Does every current staff member have access only to the systems and data required for their role? Has any staff member's role changed in a way that should trigger an access review?

Security awareness. When was the most recent security awareness briefing delivered? Has the content been updated to reflect current threats — specifically, does it cover QR code phishing, AI voice cloning, and infostealer malware?

Incident response roles. Are the named roles in the incident response plan still accurate? Has anyone left whose role in the plan has not been reassigned?

The Process Checklist

Payment security. Is the dual authorisation process for payments above the defined threshold consistently applied? When was the call-back verification procedure for bank changes last tested?

Incident response plan. When was the incident response plan last reviewed and updated? Has a tabletop exercise been completed in the past 12 months?

Business continuity plan. Does the business continuity plan reflect the current business — current staff, current systems, current suppliers? When was it last tested?

Data register. Does the data register accurately reflect what personal data the business currently holds and why? Have any new data processing activities started in the past year that are not reflected?

Regulatory obligations. Have any changes in the business's sector, size, or client base changed its NIS2 or GDPR scope? Are all notification procedures still current?

The Supplier Checklist

IT provider review. When was the IT provider's security posture last formally reviewed? Have they had any incidents in the past year? Is the service level agreement current and enforced?

Third-party access audit. Have all third-party access permissions been reviewed? Are there any former suppliers, contractors, or software vendors with residual access that should be revoked?

Cyber insurance review. Is the current policy still adequate for the business's risk profile? Have the technical requirements of the policy been confirmed as met? Is the coverage limit appropriate given current revenue?

Cloud and SaaS applications. What cloud applications currently have OAuth access to business systems? Have any been added in the past year without formal approval?

Why an Annual Review Matters More Than a One-Time Fix

Security posture is not a fixed state. Every change in your business — every new staff member, every new system, every new supplier, every new working practice — creates a potential change in your security and resilience posture. A one-time security project, however thorough, becomes less relevant as the business evolves.

The annual resilience MOT is the mechanism that keeps your security posture current. It creates accountability — the checklist from last year's review can be compared against this year's to measure progress. It surfaces gradual drift — things that have changed incrementally and unnoticed. And it ensures that the investment made in getting the basics right does not erode over time through the ordinary operation of the business.

What Next

1. Schedule the annual resilience review now. Block half a day in the management calendar, ideally at the same time each year — the start of the financial year, or the same quarter as your business's annual planning cycle.

2. Send the technology checklist to your IT provider. Ask for written answers to each question, with evidence. Evaluate the quality and completeness of the response as part of your supplier review.

3. Use the output to create a prioritised action list for the year ahead. Three to five specific improvements, in priority order, with named owners and target completion dates.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• The 10-Minute Security Review Every Donegal Business Should Do Every Quarter
• A Simple Risk Assessment Method for Busy Owners: Ranking Your Top Assets and Threats
• Building a Simple Dashboard to Track Your Security and Resilience Progress

[^1]: NCSC Ireland — Annual Review Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.