QorTrace
INSIGHT  ·  CISO PQC READINESS WORKSHOP

The CISO’s PQC readiness checklist (that the regulator will ask for).

Eleven items. Every one of them shows up, in some form, on the post-CNSA-2.0 security questionnaires we have seen circulating.

May 2026·6 min read· CISO PQC Readiness Workshop

Regulators are circling. CNSA 2.0 is an NSA mandate; DORA is a European Commission regulation; NIST IR 8547 is a federal advisory; MAS TRM is Singapore’s monetary authority. They are converging on the same checklist, and procurement teams are starting to demand attestations against it. If you walk into a renewal cycle in 2027 without having a one-page answer to each of these eleven items, you will spend Q2 of that year writing a security-questionnaire response from scratch.

The 11 questions.

  1. Do you maintain a cryptographic inventory of all primitives in production? (CSV/PDF, exportable, dated.)
  2. What percentage of your TLS endpoints support hybrid post-quantum key exchange, and what is the negotiated-group distribution?
  3. What is your code-signing migration plan to ML-DSA / SLH-DSA, and what is the deadline?
  4. Are your KMS / HSM keys rotatable to PQ algorithms without re-issuing customer keys?
  5. What is your harvest-now exposure model, by data category?
  6. Do you have a board-approved PQC readiness roadmap, with sized budget bands per phase?
  7. Who is the single named owner of the migration program, and what is their reporting line to the CISO?
  8. What telemetry do you instrument to detect classical-only fallback during the migration window?
  9. What is your runbook for a Friday-night TLS rollback?
  10. Do you have a vendor-readiness matrix tracking your top 50 third-party dependencies’ PQ status?
  11. What is your published Cryptographic Migration Certificate, and where can it be verified?

Where most teams fail.

Items 1, 5, 6, and 11 are the ones that bite. Most teams have a partial answer to each — a SAST scan output, a hand-wave at “we use TLS 1.3,” a roadmap slide from the last all-hands, no published certificate at all. None of those survive a serious procurement review. The fix is a one-page answer to each of the eleven, signed by the CISO, dated, and re-issued every six months.

What the workshop produces.

Two days of working sessions with your CISO + 2–4 senior security/eng leaders. Output: a one-page answer to each of the eleven questions; a 12-month roadmap with named owners and budget bands; a Q-Day exposure model for 2030 / 2032 / 2034; a regulatory cliff-date matrix specific to your jurisdiction. Built to land in a board pack. See the full service →