[Cover page]

Preamble
Governing the information technology related risks is important for an organization to effectively manage potential risks and for
achieving business objectives. Therefore, it is important for an organization to appropriately manage their IT infrastructure,
operations and IT/business related risks through relevant policies and procedures that have been formalized and communicated
to relevant, responsible individuals.

The following is a checklist that states the required policies, procedures, mythologies and documentation that should be in place
so as to ensure that IT infrastructure and the related risks are managed effectively. The checklist has been developed based on
the international standards ISO 27001: Information Security Management, ISO 20000: Information Technology Service
 Information Technology (IT) & Risk Governance Checklist

Management, Control Objectives for Information and related Technology (COBIT) Framework and COSO Enterprise Risk
Management Framework.

Key to Information Technology (IT) and Risk Governance Checklist

# Sequence Number
Description Required policy, procedures, methodology and/or
documentation that should be in place for governance.
Availability (Yes/No) Whether the formalized policy, procedures, methodology
and/or documentation is currently in place.
Responsible Personnel Who is responsible in developing, maintaining and
implementing the policy, procedures, methodology and/or
documentation?
Status (Not initiated, initiated, on-going, completed, Current status of the policy, procedures, methodology and/or
implemented) documentation.
Target Completion Date Date of completion of the policy, procedures, methodology
and/or documentation.
Remarks Remarks regarding the policy, procedures, methodology and/or
documentation.
Information Technology (IT) & Risk Governance Checklist
 Information Technology (IT) & Risk Governance Checklist

Information Technology (IT) and Risk Governance Checklist

# Description Availabili Responsi Status (Not Target Remarks
ty ble initiated, Completi
(Yes/No) Personnel initiated, on- on Date
going, completed,
implemented)
1. Information Technology (IT)
Governance Framework.
2. Information Technology (IT) strategic
plan.
3. Formalized policies and procedures
for IT operations and management.
4. Policies and procedures with regard
compliance to legislative, regulatory,
contractual requirements.
5. Information security policy and
procedures.
6. Information security awareness,
education and training programs
(e.g. in relation to potential risks,
BCP, DRP, etc.).
7. Formalized procedures for managing
and disposing of confidential
information.
8. Clear desk and clear screen policy.
9. Backup and restoration policies and
procedures.
10. Backup tape replacement policy.
11. Information exchange policies and
procedures (e.g. exchange of
information with external entities).
12. Information exchange agreements
with external entities.
13. Network security management
policy and procedures
14. User account management and
 Information Technology (IT) & Risk Governance Checklist

# Description Availabili Responsi Status (Not Target Remarks

ty ble initiated, Completi
(Yes/No) Personnel initiated, on- on Date
going, completed,
implemented)
monitoring policy and procedures.
15. Password management policy and
procedures.
16. Formalized physical and logical
access security policy and
procedures.
17. Formalized environmental security
policies (e.g. use of fire
extinguishers, water detectors, etc.
within the server room).
18. Change management policy and
procedures (e.g. for software change
requests, user account changes,
etc.).
19. Formalized change acceptance and
implementation procedures.
20. Formalized User Acceptance Testing
(UAT) procedure.
21. Incident management policy.
22. Insurance policy for IT fixed assets.
23. Asset management policy.
24. Equipment security policy and
procedures (e.g. securing onsite,
offsite, removal of equipment, etc.).
25. Communication management policy
and procedures.
26. Human resource security policy (e.g.
formally documented roles and
responsibilities, terms and
conditions, disciplinary actions,
termination responsibilities, etc.).
27. Monitoring procedures to ensure
segregation of duties.
28. Formally documented risk
 Information Technology (IT) & Risk Governance Checklist

# Description Availabili Responsi Status (Not Target Remarks

ty ble initiated, Completi
(Yes/No) Personnel initiated, on- on Date
going, completed,
implemented)
acceptance or tolerance criteria.
29. Periodic risk identification and
assessment.
30. Detailed risk treatment plan for
identified potential risks.
31. Formalized procedures for
monitoring risks.
32. Formalized policies and procedures
for review and monitoring of manual
and automatic controls in relation to
manual business processes and
applications.
33. Formalized business impact
analysis.
34. Formalized Business Continuity
Plan.
35. Formalized Disaster Recovery
Plan.
36. Procedures for testing BCP and
DRP.
37. Training programs for training
staff on BCP and DRP.
38. Policies and procedures for
reviewing, monitoring, updating
BCP and DRP.
39. Software acquisition policy &
procedures.
40. Software licensing policy.
41. Inventory of software in use.
42. Software Escrow agreements.
43. Maintenance and service level
agreements for software procured
from external entities.
 Information Technology (IT) & Risk Governance Checklist

# Description Availabili Responsi Status (Not Target Remarks

ty ble initiated, Completi
(Yes/No) Personnel initiated, on- on Date
going, completed,
implemented)
44. Policies and procedures for
managing software owned and used
by the organization.
45. Service management and
delivery policies and procedures
(e.g. IT services and business
services).
46. Capacity management policies
and procedures.
47. Service continuity and
availability policies and
procedures.
48. Service level reporting
requirements.
49. Budgeting and accounting for IT
services.
50. Business and supplier
relationship management
policies.
51. Procedures for monitoring third party
services and service delivery.
52. Maintenance and service level
agreements for hardware.
53. Maintenance and service level
agreements for network and
communication equipment.
54. Audit logs (e.g. operating system,
application related logs).
55. Formalized monitoring procedures
for monitoring audit logs (relating to
normal users and Administrators).
56. Formalized procedures for
monitoring use of information
 Information Technology (IT) & Risk Governance Checklist

# Description Availabili Responsi Status (Not Target Remarks

ty ble initiated, Completi
(Yes/No) Personnel initiated, on- on Date
going, completed,
implemented)
resources (e.g. operating system,
application, database, etc.).
57. Exception reports (e.g. generated
from application).
58. Procedures for monitoring exception
reports.