This questionnaire is designed to assist with reviewing and documenting the risk profile of your organization’s information processing activities. It contains ten sections, as per ISO/IEC 27002:2005. The major focus areas include: security policy, asset management, human resources security, physical and environmental security, communication and operational management, business continuity management, and compliance.
Sample questions include: Does an information security policy and a security strategy exist? Describe the lifecycle process of information security policies at your organization. Were appropriate parties involved in the development of policies? How is the security policy communicated?