Legacy Health Self-Check.
Answer 33 yes/no questions about your business software and get a weighted risk score, a section-by-section breakdown, and an honest next step.
Your result is shown only after all 33 questions are answered — please do not skip any.
0 of 33 answered
The system still fully supports the core business processes it was built for.
CriticalStaff do not rely on manual workarounds to compensate for system limitations.
ImportantThe system can meet all upcoming regulatory and compliance requirements.
CriticalIntegration points with other tools are documented and maintainable by the internal team.
ImportantThe system does not prevent the business from launching new products or entering new markets.
ImportantThe system has strong uptime with very few unplanned outages.
CriticalWhen failures occur, recovery is fast — under a few hours.
CriticalThe system handles current and peak load without performance issues.
CriticalDeploying a fix or new release takes less than a day.
ImportantMonitoring and alerting are in place so problems are caught proactively.
ImportantAll third-party components are free of known critical security vulnerabilities.
CriticalThe system runs on hardware and OS versions that are up-to-date and supported.
CriticalThe programming languages and frameworks used are still actively supported.
ImportantThe system has automated tests in place (unit and integration).
ImportantThe codebase is well documented and a new developer could understand it.
MinorMore than two people in the organisation understand how this system works.
CriticalThere is no single person whose departure would cause a critical knowledge gap.
CriticalThe organisation has access to the source code and documentation independently of the vendor.
ImportantSupport contracts are active and not at risk of expiry in the next 12 months.
ImportantThe vendor actively releases updates and patches for this system.
MinorThe system is fully compliant with GDPR and relevant data regulations.
CriticalA security audit or penetration test was completed in the last 12 months.
CriticalAccess controls and authentication mechanisms are up to date.
CriticalAll sensitive data is encrypted at rest and in transit.
CriticalComprehensive audit logs are in place to track access and changes.
ImportantThe system uses a dedicated secrets management solution — no hardcoded passwords, API keys, or tokens.
CriticalThe system achieves an A or A+ rating on SSL configuration checks (e.g. SSL Labs or SSLShopper).
ImportantA cost/benefit analysis of maintaining vs replacing has been conducted.
ImportantThere is a clear roadmap for the system's future — not indefinite maintenance.
ImportantAPIs or integration points exist that would make migration easier.
MinorThere is stakeholder appetite and budget available for modernisation work.
ImportantThe data migration risk is understood and manageable.
ImportantLeadership treats this system as a strategic asset, not just a sunk cost.
MinorWhat your score actually means
The result is weighted by impact — a missing security control counts for more than a missing test. Here is how to read the three zones.
Healthy
No major red flags. Stay disciplined: review annually and watch for vendor end-of-life dates creeping up.
Attention needed
Meaningful gaps that compound over time. A structured modernisation plan now will cost far less than a crisis later.
Critical risk
Real exposure to outage, breach, or business disruption. The cost of inaction is almost certainly higher than the cost of fixing it.
Named systems
Not sure if your system is the risk — or what's around it?
The Self-Check scores your overall risk. If you want to see examples of named legacy systems and the hidden dependencies we commonly assess, the Legacy Systems hub goes deeper.
