Information security policy
Whether there exists an Information security policy,
which is approved by the management, published and
communicated as appropriate to all employees.
Whether it states the management commitment and set
out the organisational approach to managing
Whether the Security policy has an owner, who is
responsible for its maintenance and review according
to a defined review process.
Whether the process ensures that a review takes place
in response to any changes affecting the basis of the
original assessment, example: significant security
incidents, new vulnerabilities or changes to
Information security infrastructure
Whether there is a management forum to ensure there
is a clear direction and visible management support for
security initiatives within the organisation.
Whether there is a cross-functional forum of
management representatives from relevant parts of the
organisation to coordinate the implementation of
information security controls.
Whether responsibilities for the protection of
individual assets and for carrying out specific security
processes were clearly defined.
Whether there is a management authorisation process
in place for any new information processing facility.
This should include all new facilities such as hardware
Whether specialist information security advice is
obtained where appropriate.
A specific individual may be identified to co-ordinate
in-house knowledge and experiences to ensure
consistency, and provide help in security decision
Whether appropriate contacts with law enforcement
authorities, regulatory bodies, information service
providers and telecommunication operators were
maintained to ensure that appropriate action can be
quickly taken and advice obtained, in the event of a
Whether the implementation of security policy is
reviewed independently on regular basis. This is to
provide assurance that organisational practices
properly reflect the policy, and that it is feasible and
Security of third party access
of risks from
Whether risks from third party access are identified
and appropriate security controls implemented.
Whether the types of accesses are identified, classified
access and reasons for access are justified.
Whether security risks with third party contractors
working onsite was identified and appropriate controls
in third party
Whether there is a formal contract containing, or
referring to, all the security requirements to ensure
compliance with the organisation’s security policies
Whether security requirements are addressed in the
contract with the third party, when the organisation has
outsourced the management and control of all or some
of its information systems, networks and/ or desktop
The contract should address how the legal
requirements are to be met, how the security of the
organisation’s assets are maintained and tested, and the
right of audit, physical security issues and how the
availability of the services is to be maintained in the
event of disaster.
Asset classification and control
Accountability of assets...