Is someone responsible for the maintenance of the policy?
Is there someone responsiblefor Identifying and documenting instances of non-compliance with security policies?
Is the information security policy communicated to appropriate personel?
Do you make staff aware of this policy, e.g. at their induction?
Is the information security policy communicated to Third Parties?
Do staff have access this policy at any time? e.g. via an Intranet.
Is adherence to this policy included in employee contracts including temporary staff?
Is there an information security policy that has been approved by management?
Is this policy reviewed and updated on at least an annual basis or following system/ organisational changes?