1009 LTD · Quantum-safe readiness

Prepared to govern.
Not yet ready to migrate.

The company’s existing policies provide useful foundations for ownership, risk, suppliers and testing. They do not yet establish a cryptographic inventory, quantum-exposure model, PQC migration programme or verified production deployment.

Six dimensions

A transparent score, not a black box.

The scoring follows the open QSI model: 20% each for inventory, exposure control and migration; 15% each for agility and validation; and 10% for governance. Scores reflect what can be supported by the supplied 1009 LTD corpus as of 11 July 2026.

Calculation: QSI = 0.20I + 0.20Eₓ + 0.20M + 0.15Aᵍ + 0.15V + 0.10G = 15.75, rounded to 16/100. This is an indicative assessment instrument result, not certification by NIST, ETSI, ENISA or a public authority.
Evidence trace

Every score connects back to supplied material.

General control capability earns limited credit only where it materially supports a PAREK stage. Missing post-quantum specificity is recorded as a gap rather than inferred.

DimensionScoreEvidence observedDecisive gapSource documents
Executive findings

Six decisions that change the trajectory.

The largest improvement will come from converting existing asset and risk processes into cryptography-specific evidence—not from immediately buying a new security product.

01 · FOUNDATION

Asset management exists, cryptographic discovery does not.

Extend the asset register to algorithms, keys, certificates, protocols, libraries, hardware security modules and external cryptographic services.

02 · EXPOSURE

Data criticality is not linked to cryptographic lifetime.

Introduce harvest-now-decrypt-later analysis using confidentiality lifetime, system lifetime, algorithm status and migration lead time.

03 · DELIVERY

There is no owned, funded PQC roadmap.

Appoint an executive sponsor and technical owner; define dependencies, target profiles, budgets, milestones and rollback criteria.

04 · SUPPLIERS

Strong third-party governance lacks quantum clauses.

Add crypto bill-of-materials, PQC roadmap, algorithm-deprecation notice and interoperability evidence to supplier due diligence and contracts.

05 · ASSURANCE

Testing capability has not been applied to PQC.

Build interoperability, performance, failure recovery, hybrid-mode and key-management tests into the resilience-testing programme.

06 · DISCIPLINE

A named PQC algorithm is not an outcome.

Full implementation credit requires deployed controls, evidence, operational ownership, monitoring and tested recovery.

12-month transition plan

Sequence the work around evidence and risk.

Start with discovery and exposure, then move into design and controlled pilots. Governance is continuous and must cover policy, suppliers, exceptions, reassessment and accountable acceptance of residual risk.

01
0–30 days · MobiliseSponsor, owner, scope, policy statement and evidence repository
K
02
0–90 days · DiscoverCryptographic inventory and supplier evidence requests
P
03
60–120 days · PrioritiseHNDL exposure, criticality, dependency and urgency register
A
04
Q2 · DesignTarget architecture, crypto agility pattern, budget and rollback
R
05
Q3–Q4 · PilotHybrid/PQC pilots, interoperability, performance and recovery tests
E
06
Quarterly · ReassessMetrics, exceptions, supplier status and QSI evidence refresh
K
Scope and limitations

Interpret the result with discipline.

This assessment covers the supplied policy corpus only. It does not validate implementation, interview control owners, inspect live systems, test cryptography or review registers, configurations, contracts and audit records that were not provided.

Methodology source: Quantum-Safe Index v1.0.0, aligned to the PAREK lifecycle. The assessment dataset records weights, scores, source documents, evidence notes, decisive gaps and critical-gate status for independent review. Open the published Zenodo dataset ↗