Information Security Management Audit  Auditor Name:                                                         Audit Date: Security Policy

Information Security Management Audit

 Auditor Name:                                                                                                Audit Date:

Security Policy

Section

Audit Question

Findings

Compliance Y/N

Information
Security Policy document

A
policy that states management commitment and sets out the organizational
approach to managing information security

 

Does
there exists an Information security policy, which is approved by the
management, published and communicated as appropriate to all employees?

 

 

Review
of Informational Security Policy

Whether
the information Security policy has an owner, has approved management
responsibility for development, review and evaluation of the security policy.

 

Whether
the information security policy is reviewed at planned intervals, or if
significant changes occur to ensure it continuing suitability, adequacy and
effectiveness.

 

 

 

 

 

 

Management
commitment to information security

Whether
management demonstrates active support for security measures within the organization.
This can be done via clear direction, demonstrated commitment, explicit
assignment and acknowledgement of information security responsibilities.

 

 

Information
security coordination

Whether information security activities are
coordinated by representatives from diverse parts of the organization, with
pertinent roles and responsibilities. 

 

 

Allocation
of information security responsibilities

Whether responsibilities for the protection
of individual assets, and for carrying out specific security processes, were
clearly identified and defined.

 

 

Confidentiality
agreements

Whether the organization’s need for
Confidentiality or Non-Disclosure Agreement (NDA) for protection of
information is clearly defined and regularly reviewed.

Does this address the requirement to
protect the confidential information using legal enforceable terms?

 

 

 

Contact
with authorities

Whether there exists a procedure that
describes when, and by whom: relevant authorities such as Law enforcement,
fire department etc., should be contacted, and how the incident should be
reported.

 

 

Independent
review of information security

Whether the organization’s approach to
managing information security, and its implementation, is reviewed
independently at planned intervals, or when major changes to security
implementation occur.

 

 

Addressing
Security when dealing with customers

Whether all identified security
requirements are fulfilled before granting customer access to the
organization’s information or assets.

 

 

Inventory
of assets

Whether all assets are identified and an
inventory or register is maintained with all the important assets.

 

 

Acceptable
use of assets

Whether regulations for acceptable use of information
and assets associated with an information processing facility were
identified, documented and implemented.

 

 

 

Roles
and responsibilities

Whether employee security roles and
responsibilities, contractors and third-party users were defined and
documented in accordance with the organization’s information security policy.

Were the roles and responsibilities defined
and clearly communicated to job candidates during the pre-employment process?

 

 

Information
security awareness, education and training

Whether all employees in the organization, and where
relevant, contractors and third-party users, receive appropriate security
awareness training and regular updates in organizational policies and
procedures as it pertains to their job function.

 

 

Disciplinary
process

Whether there is a formal disciplinary process for
the employees who have committed a security breach.

 

 

Termination
responsibilities

Whether responsibilities for performing employment
termination, or change of employment, are clearly defined and assigned.