What is a PQC Readiness Assessment?
A PQC readiness assessment is the first structured step before migration, not the migration itself.
Readiness Flow / Assessment Board
A readiness assessment connects business context, cryptographic evidence, ownership, and next actions.
Assessment starts with visibility, not replacement.
Which data must stay confidential for years?
Long-lived sensitive data list
Where is cryptography used?
Evidence from systems, traffic, certificates, code, tools, and vendors
What cryptography exists and where?
Structured view of systems, algorithms, owners, and vendors
Which areas depend on vulnerable public-key cryptography?
Exposure map
What matters most?
Urgent, important, monitor, or defer
Who controls the change?
Supplier and platform action list
What happens next?
Practical migration and readiness plan
Readiness assessment is not migration. It creates the evidence and priorities needed before migration.
Short Answer
A PQC readiness assessment helps an organisation understand how prepared it is for post-quantum cryptography migration without treating assessment as immediate replacement.
It reduces uncertainty
It asks where public-key cryptography is used, which data lives for years, and which systems are hard to change.
It supports decisions
Good output connects cryptographic findings to business context, vendors, owners, and priorities.
It creates a roadmap
The result should show what to discover, review, test, contact, monitor, or defer.
Core Explanation
The problem is uncertainty
Many companies know that PQC matters, but they do not know what it means for their own environment.
A readiness assessment exists to reduce uncertainty around cryptographic use, vulnerable public-key algorithms, vendor control, data lifetime, update difficulty, and useful next actions.
- where cryptography is used
- which systems use vulnerable public-key algorithms
- which vendors control the stack
- which data has a long confidentiality lifetime
- which systems are difficult to update
Readiness is not migration
Migration means changing cryptographic mechanisms, protocols, certificates, libraries, products, or configurations.
Readiness assessment comes before that. It helps decide what should be discovered, inventoried, prioritised, discussed with vendors, tested, monitored, or allowed to wait.
Immediate full migration is usually unrealistic; readiness helps decide the order of work.
Useful output combines business and technical context
A useful assessment does not only list algorithms.
It connects technical findings to system importance, data lifetime, user impact, operational risk, vendor dependency, regulatory or contractual exposure, migration difficulty, and ownership.
The output should be a roadmap
The best output is not a long report that nobody uses.
A useful output should show what was assessed, what evidence was used, what is known, what is uncertain, what needs deeper discovery, which systems should be prioritised, which vendors should be contacted, and which no-regret actions can start now.
Good Output vs Weak Output
- connects technical findings to business risk
- includes long-lived sensitive data
- uses more than one discovery source
- identifies systems, owners, vendors, and dependencies
- distinguishes urgent, important, and lower-priority areas
- includes uncertainty and confidence levels
- leads to practical next steps and vendor questions
- one scanner export treated as the full answer
- generic algorithm list without system context
- no link to data lifetime
- no vendor dependency view
- no ownership model
- no prioritisation or roadmap
- vague “quantum-safe” recommendations
Weak output may look impressive, but it does not help the organisation decide what to do.
Why It Matters
A readiness assessment helps avoid two weak extremes: panic and passivity.
Avoid panic
The assessment prevents the assumption that everything must change immediately.
Avoid passivity
It prevents waiting until vendors, regulators, or attackers force the issue.
Create a middle path
Teams can understand exposure early, prioritise important systems, and prepare without turning PQC into a rushed emergency project.
Practical Example
Turning vague risk into a worklist
A weak answer would be: “You use RSA and ECC. You should become quantum-safe.”
A better readiness assessment asks which systems use RSA or elliptic-curve cryptography, what data passes through them, how long that data must remain confidential, who owns each system, which vendors control updates, which systems can be tested early, and which systems should only be monitored for now.
The useful output is a practical worklist, not a slogan.
Questions to Ask Vendors or Consultants
What discovery sources do you use?
Do you only scan certificates, or do you also look at protocols, systems, applications, vendors, and configurations?
How do you connect findings to business systems and owners?
Can you identify long-lived sensitive data flows?
How do you distinguish urgent, important, and lower-priority findings?
Do you provide a cryptographic inventory or CBOM-style output?
How do you handle uncertainty and confidence levels?
What evidence supports each recommendation?
What is out of scope?
What should we do after the assessment?
Common Misunderstanding
A PQC readiness assessment tells us which new algorithm to install.
A readiness assessment should come before algorithm replacement. It should identify exposure, ownership, vendor dependencies, migration difficulty, and practical priorities.
What to Remember
One-Sentence Summary
A PQC readiness assessment turns quantum uncertainty into a practical view of exposure, ownership, priorities, and next actions.
Three Key Points
- Readiness assessment is not the same as immediate migration.
- Good output connects cryptography to data, systems, vendors, and owners.
- The result should be a roadmap, not a generic report.