Risk Assessment Check List
Information Security Policy
Information security policy document
Does an Information security policy exist, which is approved by the management, published and
communicated as appropriate to all employees?
Does it state the management commitment and set out the organizational approach to
managing information security?
2. Review and Evaluation
Does the Security policy have an owner, who is responsible for its maintenance and review
according to a defined review process?
Does the process ensure that a review takes place in response to any changes affecting the
basis of the original assessment, example: significant security incidents, new vulnerabilities or
organizational or technical structure?
Information security infrastructure
1. Allocation of information security responsibilities
a. Are responsibilities for the protection of individual assets and for carrying out specific
security processes clearly defined?
2. Co-operation between organizations
a. Are the appropriate contacts with law enforcement authorities, regulatory bodies, utility
providers, information service providers and telecommunication operators maintained to
ensure that appropriate action can be quickly taken and advice obtained, in the event of an
3. Independent review of information security