Governance and corporate culture

• Does your organization manage Information Security like your other corporate priorities?
• Do you have an organizational information security policy in place to guide how information is managed and protected?

Physical and personnel security

• Do you have the required policies and processes in place to ensure your human resources and infrastructure operate in a manner that takes into account the importance of information security?
• Do employees understand that sound information security practices are a clear expectation of their work performance?

Non-IT information

• Is it clear to all staff and management how effectively handle, store and share sensitive non-IT information and do they have access to sufficient storage equipment to protect this information?
• Does your organization have clear procedures to manage (store, log, track, dispose) information contained on portable storage devices such as memory sticks?

IT and cyber security counter measures

• Does your organization have robust cyber security controls in place?
• Does your organization conduct regular reviews of your IT assets to discover security vulnerabilities, and upon discovery assign proper severity to trigger remediation actions?
• Does your organization have a proper program in place to manage third-party security risks?

Emergency management and business continuity

• Do you have plans in place to prepare your organization for information security-related situations such as an information breach of private data in order to limit business impacts, protect your clients, and meet legislation requirements?
• Are you clear on what regulatory bodies need to be immediately notified in the event of a data/privacy breach?