Asset management exists, cryptographic discovery does not.
Extend the asset register to algorithms, keys, certificates, protocols, libraries, hardware security modules and external cryptographic services.
The company’s existing policies provide useful foundations for ownership, risk, suppliers and testing. They do not yet establish a cryptographic inventory, quantum-exposure model, PQC migration programme or verified production deployment.
The scoring follows the open QSI model: 20% each for inventory, exposure control and migration; 15% each for agility and validation; and 10% for governance. Scores reflect what can be supported by the supplied 1009 LTD corpus as of 11 July 2026.
General control capability earns limited credit only where it materially supports a PAREK stage. Missing post-quantum specificity is recorded as a gap rather than inferred.
| Dimension | Score | Evidence observed | Decisive gap | Source documents |
|---|
The largest improvement will come from converting existing asset and risk processes into cryptography-specific evidence—not from immediately buying a new security product.
Extend the asset register to algorithms, keys, certificates, protocols, libraries, hardware security modules and external cryptographic services.
Introduce harvest-now-decrypt-later analysis using confidentiality lifetime, system lifetime, algorithm status and migration lead time.
Appoint an executive sponsor and technical owner; define dependencies, target profiles, budgets, milestones and rollback criteria.
Add crypto bill-of-materials, PQC roadmap, algorithm-deprecation notice and interoperability evidence to supplier due diligence and contracts.
Build interoperability, performance, failure recovery, hybrid-mode and key-management tests into the resilience-testing programme.
Full implementation credit requires deployed controls, evidence, operational ownership, monitoring and tested recovery.
Start with discovery and exposure, then move into design and controlled pilots. Governance is continuous and must cover policy, suppliers, exceptions, reassessment and accountable acceptance of residual risk.
This assessment covers the supplied policy corpus only. It does not validate implementation, interview control owners, inspect live systems, test cryptography or review registers, configurations, contracts and audit records that were not provided.