Clause Test

The organization has not formally identified or documented its key stakeholders (e.g., customers, regulators, third-party service providers, etc.) and their needs and expectations related to information security.

While the ISMS has been formally designated, employees across the organization are unclear about the specific roles and responsibilities regarding information security. This has led to inconsistent implementation and monitoring of security controls.

The audit found limited involvement of top management in the establishment and maintenance of the ISMS. Top management has not participated in the risk assessment process or reviewed information security performance on a regular basis.

The scope of the ISMS is vaguely defined in the ISMS policy document, with no clear connection to the organization’s internal and external context, nor to the needs of interested parties

The organization has not set specific, measurable, attainable, relevant, and time-bound (SMART) information security objectives that align with the strategic direction of the organization.