Is information security represented across all parts of the organisation?
Are special interest group/ forum meetings attended on a regular basis? (Special interest forums/ groups are specific to industry sector, for example, ISC2, ISACA, Institute of Business Continuity Management etc.).
Is there an information security function responsible for managing the assignment of specific roles and responsibilities for information security?
Is there an information security function responsible for developing and maintaining an overall strategic security plan?
Is there an information security function responsible for reviewing and monitoring information security / privacy incidents or events as well as monitor significant changes in the exposure of information assets?
Is there an information security function responsible for maintaining contacts with information security special interest groups, specialist security forums, or professional associations?
Does senior managementactively support information security within the business by providing clear direction and budgeted commitment?
Is there an information security function responsible for reviewing the effectiveness of information security policy implementation?