Has a security risk assessment been executed
Have secure area's been defined
Is the risk assessment up-to-date
ICT security risk assessments
Has a security plan been defined (in line with risk assessment)?
Has a security policy been defined
Has a document classification policy been defined
Has clear desk policy been defined
Are security rounds and clear desk checks planned
Is a key management policy in place
Contingency/Disaster recovery plan
Access control systems in place (keys or card readers) in line with secure areas defined?
How is authorization, registration and review of authorization of keys and badges organized?
Safe storage of keys and badges
Access control systems in place (IT systems)?
How is authorization and review of authorization of IT systems organized?
Is the password of admin user stored safely?
Are backups made ?
Safe storage of backup media
Results of clear desk rounds documented?
Follow up on clear desk rounds?