Audit

Ready?

Risk Assessment

Has a security risk assessment been executed

Have secure area's been defined

Is the risk assessment up-to-date

ICT security risk assessments

ICT continuity

Security policies & plans

Has a security plan been defined (in line with risk assessment)?

Has a security policy been defined

Has a document classification policy been defined

Has clear desk policy been defined

Are security rounds and clear desk checks planned

Is a key management policy in place

Contingency/Disaster recovery plan

Controls

Access control systems in place (keys or card readers) in line with secure areas defined?

How is authorization, registration and review of authorization of keys and badges organized?

Safe storage of keys and badges

Access control systems in place (IT systems)?

How is authorization and review of authorization of IT systems organized?

Is the password of admin user stored safely?

Are backups made ?

Safe storage of backup media

Results of clear desk rounds documented?

Follow up on clear desk rounds?

Generics

Notes

Open issues

Possitives

Findings