This domain covers how your security governance is designed, implemented, and maintained.
Answer yes if your organisation engages a third party to conduct an annual information security review, the findings are assessed by your organisation and acted upon if necessary. If yes, please add the date of your last review to the notes.
Answer yes if your organisation has an appointed role that is responsible for managing and implementing security controls throughout your business. Please confirm the role and its responsibilities in the notes or provide a job role description (as a PDF file) as evidence.
Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Please provide the Information Security Policy (as a PDF file) as evidence.
Answer yes if your organisation has a documented Mobile Device Policy that has been reviewed in the last year. Please provide the Mobile Device Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Answer yes if your organisation has a documented Remote Working Policy that has been reviewed in the last year. Please provide the Remote Working Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Please provide the Acceptable Use Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Please provide the Information Classification Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Please provide the Access Control Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Answer yes if your organisation has a documented policy on the use of cloud services, and if it has been reviewed in the last year. Please provide the Cloud Services Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Please provide the Password Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes. Please also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.
Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Please provide the Backup Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Please provide the Clear Desk and Screen Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.
Answer yes if your organisation subjects the use of removable media to technical controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, please describe the nature of these controls within the notes.
Answer yes if all of your employee's have continuous access to your organisation's up-to-date policies (for example, through an intranet, cloud service, or networked drive).
Answer yes if all of your organisation's security policies are reviewed and approved by senior management.
Answer yes if your organisation has clearly defined and documented the security roles and responsibilities of senior management. Please provide the documented roles (as a PDF file) as evidence.
Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).
Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).
Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Please comment on the frequency of the audits in the notes.
Answer yes if your organisation has completed a risk assessment process against its IT estate within the last year.
Answer yes if you require everyone who has access to confidential information to sign a confidentiality agreement or NDA. Please provide a template NDA (as a PDF file) as evidence.
Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Please give an example of such segregation in the notes.
Answer yes if your organisation has a defined process for terminating a client contract and removing all relevant client data securely. Please describe the process in the notes or provide a supporting document (as a PDF file) as evidence.