Risk Assessment Check List
Information Security Policy
Yes
No
In Progress
1.
Information security policy document
Does an Information security policy exist, which is approved by the management, published and
communicated as appropriate to all employees?
Does it state the management commitment and set out the organizational approach to
managing information security?
2. Review and Evaluation
Does the Security policy have an owner, who is responsible for its maintenance and review
according to a defined review process?
Does the process ensure that a review takes place in response to any changes affecting the
basis of the original assessment, example: significant security incidents, new vulnerabilities or
changes to organizational or technical structure?
Organizational Security
Information security infrastructure
1. Allocation of information security responsibilities
Are responsibilities for the protection of individual assets and for carrying out specific
a.
security processes clearly defined?
2. Co-operation between organizations
Are the appropriate contacts with law enforcement authorities, regulatory bodies, utility
a.
providers, information service providers and telecommunication operators maintained to
ensure that appropriate action can be quickly taken and advice obtained, in the event of an
incident?
3. Independent review of information security