Audit Document Below:

Auditor Name: Audit Date: Security Policy Section Audit Question Findings Compliance Y/N Information Security A policy that states Policy document management commitment and sets out the organizational approach to managing information security Does there exists an Information security policy, which is approved by the management published and communicated as appropriate to all employees? Review of Whether the Informational information Security Security Policy policy has an owner, has approved management responsibility for development, review and evaluation of the security policy. Whether the information security policy is reviewed at planned intervals, or if significant changes occur to ensure it continuing suitability, adequacy and effectivenessManagement commitment to information security Whether management demonstrates active support for security measures within the organization. This can be done via clear direction, demonstrated commitment, explicit assignment and acknowledgement of information securty responsibilities. Information security coordination Whether information security activities are coordinated by representatives from diverse parts of the organization, with pertinent roles and responsibilities. Allocation of information security responsibilities Whether responsibilities for the protection of mndividual assets, and for carrying out specific security processes, were clearly identified and defined. Confidentiality agreements Whether the organization's need for Confidentiality or Non- Disclosure Agreement (NDA) for protection of information is clearly defined and regularly reviewed. Does this address the requirement to protect the confidential nformation using legal enforceable terms? Contact with authorities Whether there exists a procedure that describes when, and by whom: relevant authorities such as Law enforcement, fire department etc., should be contacted, and how the incident should be reported. Independent review of information security Addressing Security when dealing with customers Inventory of assets Whether the organization's approach to managing information security, and its implementation, is reviewed independently at planned intervals, or when major changes to security implementation occur. Whether all identified security requirements are fulfilled before granting customer access to the organization's information or assets. Whether all assets are identified and an inventory or register is maintained with all the important assets. Acceptable use of assets Whether regulations for zcceptable use of information and aszets associated with an information processing facility were identified, documented and implemented. Roles and responsibilities Information security awareness, education and training Whether emplovee security roles and responsibilities, contractors and third- party users were defined and documented in accordance with the Organization's information security policy. Were the roles and responsibilities defined and clearly communicated to job candidates during the pre-employment process? Whether all emplovees in the organization, and where relevant, contractors and third- party users, receive appropriate security awareness training and regular updates in organizational policies and procedures as it pertains to their job function. Disciplinary process Whether there iz a formal disciplinary process for the employees who have committed a security breach. Termination responsibilities Whether responsibilities for performing employment termination, or change of employment, are clearly defined and assigned