Information Security Assessment ISA5.txt

1. No. Subject
2. 1.1.1 To what extent are information security policies available?
3. 1.2.1 To what extent is information security managed within the organization?
4. 1.2.2 To what extent are information security responsibilities organized?
5. 1.2.3 To what extent are information security requirements taken into account in projects?
6. 1.2.4 To what extent are responsibilities between external IT service providers and the own organization defined?
7. 1.3.1 To what extent are information assets identified and recorded?
8. 1.3.2 To what extent are information assets classified and managed in terms of their protection needs?
9. 1.3.3 To what extent is it ensured that only evaluated and approved external IT services are used for processing the organization’s information assets?
10. 1.4.1 To what extent are information security risks managed?
11. 1.5.1 To what extent is compliance with information security ensured in procedures and processes?
12. 1.5.2 To what extent is the ISMS reviewed by an independent entity?
13. 1.6.1 To what extent are information security events processed?
14. 2.1.1 To what extent is the suitability of employees for sensitive work fields ensured?
15. 2.1.2 To what extent is all staff contractually bound to comply with information security policies?
16. 2.1.3 To what extent is staff made aware of and trained with respect to the risks arising from the handling of information?
17. 2.1.4 To what extent is teleworking regulated?
18. 3.1.1 To what extent are security zones managed to protect information assets?
19. 3.1.2 To what extent is information security ensured in exceptional situations?
20. 3.1.3 To what extent is the handling of supporting assets managed?
21. 3.1.4 To what extent is the handling of mobile IT devices and mobile data storage devices managed?
22. 4.1.1 To what extent is the use of identification means managed?
23. 4.1.2 To what extent is the user access to network services, IT systems and IT applications secured?
24. 4.1.3 To what extent are user accounts and login information securely managed and applied?
25. 4.2.1 To what extent are access rights assigned and managed?
26. 5.1.1 To what extent is the use of cryptographic procedures managed?
27. 5.1.2 To what extent is information protected during transport?
28. 5.2.1 To what extent are changes managed?
29. 5.2.2 To what extent are development and testing environments separated from operational environments?
30. 5.2.3 To what extent are IT systems protected against malware?
31. 5.2.4 To what extent are event logs recorded and analyzed?
32. 5.2.5 To what extent are vulnerabilities identified and addressed?
33. 5.2.6 To what extent are IT systems technically checked (system audit)?
34. 5.2.7 To what extent is the network of the organization managed?
35. 5.3.1 To what extent is information security considered in new or further development of IT systems?
36. 5.3.2 To what extent are requirements for network services defined?
37. 5.3.3 To what extent is the return and secure removal of information assets from external IT services regulated?
38. 5.3.4 To what extent is information protected in shared external IT services?
39. 6.1.1 To what extent is information security ensured among suppliers and cooperation partners?
40. 6.1.2 To what extent is non-disclosure regarding the exchange of information contractually agreed?
41. 7.1.1 To what extent is compliance with regulatory and contractual provisions ensured?
42. 7.1.2 To what extent is the protection of personal data taken into account when implementing information security?
43.