IT Strategy Checklist

A quarterly IT strategy review the systems administration team runs to refresh infrastructure, security, data, support, and vendor posture. Designed for in-house IT leads and MSP vCIOs preparing for the next planning cycle or QBR.

5 sections 25 steps Collects data
1

Infrastructure Planning

  1. Pull current asset inventory from the RMM

    • Export the device list from NinjaOne, Datto RMM, or whichever RMM is in scope and reconcile against IT Glue / Hudu, the M365 Intune device list, and the HR system. Orphaned devices (in RMM, not in HR; in HR, not in RMM) are the usual finding — flag them for the offboarding queue.

    Collects file
  2. Review network topology and circuit redundancy

    • Walk the diagram against reality — Meraki / FortiGate / Palo Alto configs, ISP circuits, failover paths, VLAN segmentation. Single-circuit sites and flat networks are the two findings that show up in every audit.

  3. Forecast headcount capacity for the next 12 months

    • Pull the hiring plan from HR / Finance and translate to laptop, license, VPN, and storage demand. Bake in a 10% buffer for backfills and contractors. M365 license tier mix (E3 vs E5 vs F1) drives a non-trivial chunk of the budget — flag changes early.

  4. Lock the gold image and standard hardware list

    • Confirm the Intune Autopilot profile, JAMF prestage, and approved SKUs for the next refresh cycle. Standardization is the lever that keeps imaging time and helpdesk variance down.

  5. Refresh the DR runbook RTO and RPO targets

    • Per-system RTO/RPO with named owner. The runbook lives where on-call can find it at 3am — not buried in SharePoint. Test the doc by handing it to a Tier 2 who hasn't seen it and asking them to walk a failover.

2

Security and Compliance

  1. Run authenticated vulnerability scans on in-scope hosts

    • Tenable, Qualys, or Rapid7 InsightVM with credentialed scans — not network-only. Triage CVSS 9+ first, then chase the long tail. Attach the scan export to this step for the audit trail.

    Collects file
  2. Audit MFA coverage and legacy-auth exposure

    • In Entra ID / Okta, run the MFA coverage report and the sign-in logs filtered for legacy auth (IMAP, POP, SMTP basic, EWS). Service accounts and shared mailboxes are the usual gaps. MFA without blocking legacy auth is bypass-by-design.

    Collects list
  3. Close MFA gaps and legacy auth holdouts

    • Apply Conditional Access policies to enforce MFA on the gap accounts and block legacy auth org-wide. Coordinate with mailbox admins on shared-mailbox migration to modern auth before flipping the block.

  4. Map controls to SOC 2, HIPAA, and CMMC scope

    • Confirm which frameworks apply this cycle. For SOC 2, refresh the change-management, access-review, and vendor-management evidence binders. For HIPAA, confirm BAAs are current with every subprocessor handling PHI.

  5. Set the three-ring patch deployment schedule

    • Test ring (IT staff) → pilot ring (volunteer power users, ~5%) → production ring, with 7-14 days between rings. Document the rollback plan and the blackout windows on the calendar.

3

Data Management

  1. Run a quarterly restore drill from immutable backup

    • Pick a tier-1 system, restore into an isolated VLAN, validate data integrity, and time the run. The success metric is a verified restore — not a green dashboard. Veeam / Datto / Rubrik will all happily report success on a backup that won't restore.

    Collects list
  2. Open a vendor support case for the failed restore

    • Treat a failed drill as a P1. File the ticket with the backup vendor, document the failure mode, and schedule the re-test. A failed drill that's not remediated within the cycle is the finding that ends up on the SOC 2 exception list.

  3. Verify BitLocker and FileVault coverage across endpoints

    • Pull the encryption status report from Intune / JAMF and confirm recovery keys are escrowed. The gap is usually older devices that predate the policy or BYOD machines that slipped through enrollment.

  4. Refresh the data classification and retention matrix

    • Walk the matrix with Legal — public, internal, confidential, restricted — and confirm M365 retention labels and Purview policies map cleanly. Litigation holds get reviewed here too.

  5. Reconcile storage growth against capacity forecast

    • Compare actual SAN, OneDrive, and Azure Blob growth against last quarter's projection. Anomalous growth often points to a runaway log file or a user dumping personal media into OneDrive.

4

User Support and Training

  1. Review ticket volume and MTTR by category

    • Pull the last 90 days from ServiceNow / Freshservice / ConnectWise PSA. Top-3 categories drive the next training cadence; outlier MTTR drives the runbook updates.

  2. Schedule the next phishing simulation in KnowBe4

    • Pick a template that matches the threat trends from the SIEM, not last year's defaults. Coordinate the date with HR so the campaign doesn't land during open enrollment.

  3. Run M365 and Intune training for new features

    • Cover what shipped in the last quarter's Microsoft roadmap that affects users — Copilot rollout, Teams updates, Loop. Record the session and post to the helpdesk knowledge base.

  4. Capture end-user CSAT via post-ticket survey

    • Pull the CSAT trend from the PSA and segment by tech and ticket category. A specific tech with a CSAT outlier is a coaching conversation, not a public chart.

  5. Flag repeat-clicker remediation candidates

    • Users who clicked on three consecutive simulations get assigned remediation training and their manager is notified per the awareness policy. The same 12 users every quarter is the pattern to watch for.

5

Vendor and Contract Management

  1. Update IT Glue vendor and contract inventory

    • Every vendor, every contract, every renewal date, every named contact. The gap that shows up in audits is the vendor that's been auto-renewing for three years with nobody actively managing it.

    Collects file
  2. Review SLA performance against signed contracts

    • Pull uptime and response-time data from the vendor portals (Meraki Dashboard, Datto status, M365 Service Health) and compare against contracted SLAs. Credits for missed SLAs almost always require a written claim — file them.

  3. Flag renewals expiring within 90 days

    • Auto-renew clauses bite when nobody's watching. 90 days out is the window to negotiate; 30 days out you've lost leverage. Microsoft, Veeam, and CrowdStrike renewals especially benefit from a quote-shop.

  4. Collect current SOC 2 reports and BAAs

    • Refresh the vendor security file: SOC 2 Type II report, signed BAA where PHI is in scope, DPA where GDPR / CCPA applies. A vendor without a current SOC 2 either provides a bridge letter or moves to the risk-accepted list.

  5. Log fourth-party and supply-chain risks

    • Map subprocessors of your top-10 vendors — the SolarWinds and Kaseya supply-chain incidents are the reason this row exists on the risk register. Flag concentrations (e.g., five vendors all hosting on the same region of one cloud).

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.

Use this workflow Start free trial
Sections 5
Steps 25
Category Systems Administration
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Related templates

More workflows your team can run.

Systems Administration

Cloud Outage Response

View
Systems Administration

Network Troubleshooting Checklist

View
Systems Administration

User Offboarding Checklist

View
Systems Administration

IT Resource Allocation Checklist

View

Run IT Strategy Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.

Use this workflow Start free trial