Company Security Assessment 1) Do you have a formal process for information asset management?
1a) Does the process include supporting assets and classification based on confidentiality, integrity, availability, and authenticity?
2) Is there a formal information risk management process in place?
2a) Are information risk assessment results regularly reported?
3) Do you have formalized information security policies and procedures?
3a) Are these policies and procedures reviewed and updated regularly?
4) Do you provide regular security and awareness training for employees?
4a) Are these trainings tailored to different roles and responsibilities within the organization?
5) Do you have a defined physical access control concept?
5a) Does the concept cover both office and perimeter controls?
6) Do you ensure your access control operates well in emergency cases also?
7) Do you have access control measures for visitors?
8) Is a zone-based access control concept in place?
8a) Are man traps controlled, sensitive areas permanently monitored, and routes, control points, and CCTV integrated into the concept?
9) Are formal contracts for all suppliers in place?
9a) Do the contracts cover information security, data privacy and NDA?
9b) Are procedures for Information Security defined in the contract?
10) Are all outsourced services classified (e.g., material/non-material, critical/non-critical)?rs in place?
10a) Does this classification include all services with data input into and output from the company?
10b) Has a risk assessment been carried out for each supplier?
10c) Have appropriate responses to the results of the risk assessment been implemented?
11) Is a general screening process documented and consistently applied to all candidates?
12) Are all employees who work with "material data" trained and reliable?
13) Is regular training scheduled for applicable employees?
14) Is an IT security concept in place?
14a) Does the concept cover the minimum parts: prevention, detection, and reaction?
14b) Are adequate IT security measurements in place, including reactions and reportings?
15) Are all systems and applications regularly updated and patched?
16) Are access controls implemented for all IT systems and data?
16a) Are access rights reviewed and adjusted regularly?
17) Is a perimeter protection in place?
18) Is there a documented incident response plan as part of your IT security concept?
18a) Do you operate a SOC (Security Operations Center)?
18b) Are security intelligence and open source intelligence part of the SOC input?
19) Do you conduct regular vulnerability assessments and penetration tests?
20) Do you have IT disaster recovery procedures in place?
Submit Form
