EFROS

Resources

Real tools from real engagements.

Checklists, scorecards, and runbook templates we use on client engagements. Free, editable, grounded in operating reality rather than vendor marketing frameworks. Use them as-is, adapt them, or borrow what's useful.

By Stefan Efros, CEO & Founder, EFROSReviewed by Daniel Agrici, Chief Security Officer, EFROS
Reviewed by CSO ·

Why we publish these

The compliance and security industry runs on gated whitepapers and slide decks built to capture emails rather than inform practitioners. The resources below are the opposite. These are the exact working documents we use on client engagements, published for anyone who needs a starting point that isn't marketing.

How to use them

Each resource is a browser-ready page with print-friendly formatting. Open it, work through it, print it to PDF if you want a saved copy. No forms, no email capture, no drip campaign. If you want help applying any of them in your environment, the free assessment is where that conversation starts.

Compliance

SOC 2 Type II Readiness Checklist

The exact 80-control checklist we use to evaluate SOC 2 readiness on client engagements. Mapped to the 2017 Trust Services Criteria, with evidence guidance per control and a scoring model that tells you whether you're 6 months or 12 months from a clean audit.

Self-paced · 80 controlsOpen →

Compliance

CMMC Level 2 Readiness Scorecard

Self-assessment scorecard for all 110 NIST SP 800-171 controls, with the exact evidence expectations a CMMC Level 2 C3PAO assessor will look for. Includes the common interpretation gaps that cause assessments to fail on first attempt.

Self-paced · 110 controlsOpen →

Cybersecurity

Incident Response Runbook Template

Editable runbook template aligned to NIST SP 800-61. Covers ransomware, business email compromise, insider threat, and supply-chain compromise scenarios with the decision points, role assignments, and evidence-preservation steps we use in real incidents.

Template · 60+ decision pointsOpen →

Third-Party Risk

Vendor Risk Questionnaire

The 60-question vendor risk questionnaire we use on third-party risk assessments. Covers security controls, compliance certifications, subcontractor use, data handling, incident notification, and the business continuity questions most SIG Lite templates miss.

60 questions · 4 sectionsOpen →