Minimum security baseline checklist for small teams

What you get

A written baseline you can revisit quarterly: who has keys, what is protected, and what to fix first without hiring a full security team.

How to use this checklist

You do not need a security operations center to get past amateur-hour risk. Most damage we see in small teams comes from one shared password, no second factor on email, or an ex-contractor who still has Slack admin.

This list is a baseline — not ISO paperwork. Run it once, write answers in a single doc, then schedule a 20-minute review every quarter.

The four passes

Work through the checklist in order

1

Identity

Email, MFA, password manager — who can log in as the company.
2

Ownership

Billing, domain, registrar and org admins — who holds the keys.
3

Devices & data

Disk encryption, backups, screen lock — what walks out the door on a laptop.
4

People movement

Onboarding defaults and offboarding that actually revokes access.

1Password

Best for: Teams wanting polish and support

Team vaults, shared items, guest access and audit-friendly structure. Common default for funded startups and agencies.

Open 1Password

Bitwarden

Best for: Budget-conscious and self-host shops

Open-source-friendly password management with self-host options for technical teams.

Open Bitwarden

Google Workspace

Best for: Teams standardizing on Google

Org-wide MFA enforcement, admin audit logs and centralized identity when email already lives on Gmail for Work.

Open Google Workspace

Pick one password standard for the whole team. Personal sticky notes and browser-only vaults do not scale past one person.

Pass 1: Identity and MFA

Company email is not forwarded into a personal inbox without MFA on both sides.
Multi-factor authentication (MFA) is on for email, cloud storage, code hosting, domain registrar and payroll — not optional “later.”
Hardware keys or app MFA is chosen for at least the 3–5 highest-risk accounts (email admin, Stripe/PayPal, DNS, source control owner).
No shared “company login” passwords stored in Slack or email — shared credentials live only in the team password manager with rotated secrets.
Break-glass credentials for the domain and cloud root account exist, are offline or sealed, and two people know how to reach them.

Pass 2: Ownership and admin sprawl

Domain registration and DNS hosting are not on someone’s personal card with no documented transfer path.
Billing owners are named people — not “info@” with nobody monitoring it.
Each critical app has two admins where the product allows it (email, GitHub org, cloud host, payroll).
API keys and integration secrets are labeled with owner and rotation date in the password manager or secrets store.
No ex-employee or contractor retains org-owner, billing-owner or domain-admin rights — verify in writing after every exit.

Who must always have a named human owner

Domain & DNS

Registrar login + DNS panel + renewal alerts to a real inbox.

Cloud root / org admin

AWS, GCP, Azure or platform-vendor org owner role.

Money movement

Stripe, bank portal, payroll, invoice tool with approval trail.

Source & deploy

Git org owners, CI secrets, production deploy keys.

Comms identity

Workspace admin, Slack owner, shared inboxes.

Client data stores

CRM, project tool exports, backup buckets with client PII.

If a row says 'we all have access,' you have no owner — fix that before buying more software.

Pass 3: Devices and data

Full-disk encryption is on for every laptop that holds client or company data (FileVault, BitLocker, Linux equivalent).
Screen lock timeout is aggressive enough that a café table does not equal a breach (≤ 5 minutes for most roles).
Automatic OS updates are enabled or someone owns a weekly patch ritual — pick one.
Backups exist for files that are not fully in cloud SaaS (local design files, raw video, exports). Test a restore once a year.
Company data on personal phones is limited; where it exists, the device has lock + remote wipe or data lives only in managed apps.

Pass 4: Onboarding, offboarding and vendors

New hires and contractors get least-privilege access on day one — add roles when needed, not “admin by default.”
Offboarding checklist revokes email, SSO, GitHub, Slack/Teams, CRM and shared vault access within 24 hours of end date.
Shared channel hygiene: Google Drive links and Notion pages are not “anyone with link” for sensitive client folders unless clients require it.
You know which vendors hold customer data and have skimmed their security page before complaints arrive — align with your annual contract checklist when spend is high.

Score it honestly

How to interpret gaps

Any ‘no’ in Pass 1–2

Stop and schedule fixes this week. That is your incident waiting to happen.

Only Pass 3–4 gaps

Serious but usually slower-burn — calendar concrete dates, do not defer forever.

All boxes checked

Re-run quarterly; add scope only when headcount or data sensitivity jumps.

Fix identity and ownership before you chase niche hardening. Most incidents never reach disk encryption theory.

What this checklist is not

It will not satisfy an enterprise RFP, replace a penetration test or cover regulated industries in detail. It will close the gaps that burn small teams when someone gets phished, a laptop is stolen, or a contractor ghosts with admin still on.

When you outgrow this list, hire proportionally — a fractional security advisor or an MSP — but keep the habits: MFA, ownership clarity, and clean exits.