Home/ Products/ PQC Readiness Checklist

Free Tool · Quantum Security

PQC Readiness Checklist Generator

Name: PQC Readiness Checklist Generator
Availability: InStock
Author: Steven Vaile

Answer ten questions about your organisation and receive a personalised, prioritised checklist of post-quantum cryptography actions. Written for security and compliance leads who need a practical starting point, not a generic framework. Results appear on this page. No account required.

10 questions · under 5 minutes
Covers governance, data, trust infrastructure, migration readiness
Download a prioritised action checklist as a PDF

Your answers are used only to calculate your score. No email address, company name, or IP address is collected as part of this assessment. Anonymised scores are pooled with other responses to produce sector-level benchmarks, for example average scores across financial services organisations. Any PDF report you download is generated in your browser and is not stored on any server. You can choose to download the PDF report after the tool is completed. If you choose to enter your email address, that information is stored separately and only used to send you the updates you asked for.

What this tool collects

This tool collects your assessment answers and calculates a score. All of this happens in your browser. Your answers are not sent to a server for processing.

Anonymised benchmarking

The anonymised score from your assessment may be used to build sector-level benchmarks. For example: organisations in the financial services sector score an average of 54. No personal information, company name, or IP address is attached to this data. You cannot be identified from it.

What is not collected

Your IP address is not collected or stored. Your company name is not collected unless you choose to enter it when downloading a PDF report. Your email address is not collected unless you choose to provide it to receive updates.

PDF reports

If you choose to download a PDF report, it is generated entirely within your browser using your answers. The report is not sent to or stored on any server. Once you download it, the data stays with you.

Email addresses

An email address is only stored if you voluntarily opt in to receive notifications or updates. Providing your email address is never required to use this tool or to view your results. Your email address is not shared with third parties or used for advertising.

Third parties

Your data is not sold to third parties. Your data is not shared with advertising networks. Your data is not used for any purpose other than those described here.

Step 1 of 10

Please select an answer before continuing.

Question 1 of 10

What sector does your organisation operate in?

This helps tailor the checklist to the regulations and risks most relevant to your industry.

Organisation sector

Defence and national security Financial services and banking Government and public sector Healthcare and pharmaceuticals Critical infrastructure (energy, water, transport) Telecommunications Technology and software products Manufacturing and industrial Legal and professional services Education and research Retail and consumer Other

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 2 of 10

How large is your organisation?

Size affects how many systems you are likely to have, and how complex a cryptographic inventory will be.

Organisation size

1 to 50 people 51 to 250 people 251 to 1,000 people 1,001 to 10,000 people More than 10,000 people

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 3 of 10

How long does the sensitive data your organisation holds need to remain confidential?

Think about the most sensitive data you hold — patient records, contracts, financial histories, proprietary research. How long must that data stay secret?

Data confidentiality lifetime

Less than one year One to three years Three to five years Five to ten years More than ten years

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 4 of 10

How sensitive is the data your organisation holds?

This is about the category of information, not just how much there is. Regulated data (medical records, financial data, personal identity data, classified information) is inherently more sensitive than general business data.

Data sensitivity level

Low — general business data, nothing regulated Moderate — some personal or commercially sensitive data High — regulated data (financial, medical, legal, or similar) Very high — classified, sensitive national or critical infrastructure data

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 5 of 10

How much does your organisation depend on digital certificates, code signing, or device trust?

Certificate authorities issue the digital credentials that prove websites and services are genuine. Code signing proves that software has not been tampered with. Device trust verifies that hardware is authentic. You may depend on these even if you do not run your own systems.

Trust, PKI, and signing dependence

Minimal — we do not rely significantly on certificates or signing Moderate — we use certificates for web services and internal authentication Significant — we run our own certificate infrastructure or sign software or firmware Critical — certificates and signing are central to our product or service

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 6 of 10

Which best describes your IT environment?

This affects which systems need the most attention and how straightforward a migration is likely to be.

IT environment type

Cloud and SaaS — we use cloud services and rely on vendor-managed systems Enterprise IT — we run our own servers, networks, and infrastructure Software products — we build software products that others use IoT and connected devices — we make or rely on connected devices Operational technology or industrial systems Mixed environment

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 7 of 10

How heavily regulated is your organisation?

Some sectors have specific legal or contractual requirements to demonstrate quantum security readiness. This helps tailor the checklist to any compliance deadlines that apply to you.

Regulatory exposure

None — we do not operate in a regulated sector Light — basic data protection and general compliance (GDPR, etc.) Regulated — sector-specific regulations apply (financial, healthcare, etc.) Highly regulated — critical infrastructure, government, or defence requirements apply

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 8 of 10

How much legacy IT does your organisation have?

Legacy systems are older systems that are difficult to update or replace — mainframes, hardware security modules purchased before 2020, embedded systems with limited update capability, or bespoke industrial platforms.

Legacy system complexity

Modern — we run current software on recent hardware Some legacy — a few older systems that would need attention Significant legacy — a substantial portion of our estate is hard to update Hard to upgrade — we have systems that cannot be easily updated at all

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 9 of 10

How dependent is your organisation on third-party vendors for security-critical systems?

If key parts of your infrastructure are managed by suppliers — cloud providers, hardware vendors, software companies — your migration may depend on those suppliers acting first.

Vendor dependency

Low — we control most of our security-relevant systems Moderate — we rely on a mix of our own and vendor systems High — most of our security-relevant systems are vendor-managed Critical — we cannot migrate without major vendors acting first

Your answers run entirely in your browser. Nothing is stored or transmitted.

Question 10 of 10

Where would you say your organisation currently is on PQC preparation?

Be honest — there is no wrong answer. The checklist will be most useful if it starts from where you actually are.

Existing readiness level

No action yet

We have not started thinking about this. Quantum computing risk has not been raised internally.

Early discussion

We have had some internal conversations but nothing formal. The topic has come up but has not progressed to any planned action.

Some inventory done

We have started looking at what systems and data we have. Some mapping of cryptographic assets may be underway.

Active planning

We have a programme of work in progress. We understand our cryptographic posture and are working through a migration plan.

Your answers run entirely in your browser. Nothing is stored or transmitted.

Your PQC Readiness Checklist

PDF reports are generated in your browser. Nothing is uploaded or stored.

About this tool

This checklist generator uses a rule-based engine: your answers trigger specific actions from a library of 28 items, each with a suggested owner and priority. Items are grouped by type of work: governance, cryptographic visibility, trust infrastructure, vendor management, migration planning, and compliance.

The library reflects the NIST post-quantum cryptography migration guidance (NIST SP 800-208 and the published FIPS 203, 204, 205 standards), the UK NCSC's quantum-safe migration guidance, and Steven Vaile's advisory experience across government, defence, and financial services organisations.

This tool produces a prioritised starting point, not a full engineering audit. For a comprehensive cryptographic inventory and migration roadmap, contact Steven.