Does the organization have Information Security policies?

Have all Information Security policies been approved by management and are reflected in the policy documents?

Have the Information Security policies been properly communicated to employees?

Are Information Security policies policies subject to review?

Are the reviews of the Information Security policies conducted at regular intervals?

Are reviews of the Information Security policies conducted when significant changes occur?

Are responsibilities for the protection of company assets, and for carrying out specific security responsibilities clearly identified, defined and communicated to all relevant stakeholders?

Is Segregation of Duties enforced, maintained and monitored, in order to reduce opportunities for unauthorized modification or misuse of information, or services?

Is there a procedure documenting under what circumstances, and by whom, contact with relevant authorities (law enforcement, special interest groups, etc.) will be made?

Is there a process for regular contact and threat intelligence sharing with relevant authorities?

Do relevant individuals within the organization maintain active membership in relevant special interest groups?

Do all projects go through some form of information security risk assessment identifying areas of vulnerabilities and identifying mitigation actions?