A. Security Governance
This domain covers how your security governance is designed, implemented, and maintained.
01) Does your organisation conduct an annual independent information security review and act upon the findings?
Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, please add the date of your last review to the notes.
02) Does your organisation have an appointed person responsible for information security, such as a CISO?
Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Please confirm the role and its responsibilities in the notes or provide a job role description (as a PDF file) as evidence.
03) Does your organisation have a documented Cybersecurity Policy or Information Security Policy?
Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Please provide the Information Security Policy (as a PDF file) as evidence.
04) Does your organisation have a formal policy on the use of mobile devices?
Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Please provide the Mobile Device Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
05) Does your organisation have a formal policy for remote working that includes security?
Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Please provide the Remote Working Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
06) Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?
Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Please provide the Acceptable Use Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
07) Does your organisation have a documented Information Classification Policy?
Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Please provide the Information Classification Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
08) Does your organisation have a documented Access Control Policy?
Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Please provide the Access Control Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
09) Does your organisation have a policy governing the use of cloud services?
Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. The policy should include information security requirements for the acquisition, use, management, and exit from cloud services. Please provide the Cloud Services Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
10) Does your organisation have a Password Policy that is technically enforced throughout its IT estate?
Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Please provide the Password Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes. Please also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.
11) Does your organisation have a documented Backup Policy?
Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Please provide the Backup Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
12) Does your organisation enforce a Clear Desk and Screen Policy?
Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Please provide the Clear Desk and Screen Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
13) Does your organisation prevent the use of removable media, and is this enforced technically?
Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.
14) If the use of removable media is not prohibited and enforced technically, is its use subject to other compensatory controls?
Answer yes if your organisation subjects the use of removable media to technical controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, please describe the nature of these controls within the notes.
15) Are your organisation's information security policies accessible to all employees?
Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).
16) Are your organisation's information security policies reviewed and approved by senior management at least annually?
Answer yes if all of your organisation's security policies are reviewed and approved by senior management.
17) Has your organisation documented senior management roles and responsibilities for security within your organisation?
Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Please provide the documented roles (as a PDF file) as evidence.
18) Does your organisation include information security during the planning and delivery of projects?
Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).
19) Does your organisation restrict employee access to business information based upon the principle of least privilege?
Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).
20) Does your organisation have an internal audit function that ensures information security requirements are being met by the business?
Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Please comment on the frequency of the audits in the notes.
21) Does your organisation conduct security risk assessments for your full IT estate at least annually?
Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.
22) Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?
Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Please provide a template NDA (as a PDF file) as evidence.
23) Does your organisation segregate duties to prevent unauthorised disclosure or access to information?
Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Please give an example of such segregation in the notes.
24) Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?
Answer yes if your organisation has a defined process for terminating a client contract and removing all relevant client data securely. Please describe the process in the notes or provide a supporting document (as a PDF file) as evidence.
25) Does your organisation use threat intelligence to inform decisions about information security?
Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, please describe how you collect, analyse and use threat intelligence within your organisation, or upload a document (as a PDF file) as supporting evidence.