Legacy Health Self-Check.

    Answer 33 yes/no questions about your business software and get a weighted risk score, a section-by-section breakdown, and an honest next step.

    Your result is shown only after all 33 questions are answered — please do not skip any.

    0 of 33 answered

    Business alignment
    01

    The system still fully supports the core business processes it was built for.

    Critical
    02

    Staff do not rely on manual workarounds to compensate for system limitations.

    Important
    03

    The system can meet all upcoming regulatory and compliance requirements.

    Critical
    04

    Integration points with other tools are documented and maintainable by the internal team.

    Important
    05

    The system does not prevent the business from launching new products or entering new markets.

    Important
    Operational performance
    06

    The system has strong uptime with very few unplanned outages.

    Critical
    07

    When failures occur, recovery is fast — under a few hours.

    Critical
    08

    The system handles current and peak load without performance issues.

    Critical
    09

    Deploying a fix or new release takes less than a day.

    Important
    10

    Monitoring and alerting are in place so problems are caught proactively.

    Important
    Technology & architecture
    11

    All third-party components are free of known critical security vulnerabilities.

    Critical
    12

    The system runs on hardware and OS versions that are up-to-date and supported.

    Critical
    13

    The programming languages and frameworks used are still actively supported.

    Important
    14

    The system has automated tests in place (unit and integration).

    Important
    15

    The codebase is well documented and a new developer could understand it.

    Minor
    Knowledge & people risk
    16

    More than two people in the organisation understand how this system works.

    Critical
    17

    There is no single person whose departure would cause a critical knowledge gap.

    Critical
    18

    The organisation has access to the source code and documentation independently of the vendor.

    Important
    19

    Support contracts are active and not at risk of expiry in the next 12 months.

    Important
    20

    The vendor actively releases updates and patches for this system.

    Minor
    Data & security
    21

    The system is fully compliant with GDPR and relevant data regulations.

    Critical
    22

    A security audit or penetration test was completed in the last 12 months.

    Critical
    23

    Access controls and authentication mechanisms are up to date.

    Critical
    24

    All sensitive data is encrypted at rest and in transit.

    Critical
    25

    Comprehensive audit logs are in place to track access and changes.

    Important
    26

    The system uses a dedicated secrets management solution — no hardcoded passwords, API keys, or tokens.

    Critical
    27

    The system achieves an A or A+ rating on SSL configuration checks (e.g. SSL Labs or SSLShopper).

    Important
    Modernisation readiness
    28

    A cost/benefit analysis of maintaining vs replacing has been conducted.

    Important
    29

    There is a clear roadmap for the system's future — not indefinite maintenance.

    Important
    30

    APIs or integration points exist that would make migration easier.

    Minor
    31

    There is stakeholder appetite and budget available for modernisation work.

    Important
    32

    The data migration risk is understood and manageable.

    Important
    33

    Leadership treats this system as a strategic asset, not just a sunk cost.

    Minor

    What your score actually means

    The result is weighted by impact — a missing security control counts for more than a missing test. Here is how to read the three zones.

    75 – 100%

    Healthy

    No major red flags. Stay disciplined: review annually and watch for vendor end-of-life dates creeping up.

    50 – 74%

    Attention needed

    Meaningful gaps that compound over time. A structured modernisation plan now will cost far less than a crisis later.

    0 – 49%

    Critical risk

    Real exposure to outage, breach, or business disruption. The cost of inaction is almost certainly higher than the cost of fixing it.

    Named systems

    Not sure if your system is the risk — or what's around it?

    The Self-Check scores your overall risk. If you want to see examples of named legacy systems and the hidden dependencies we commonly assess, the Legacy Systems hub goes deeper.