Looking for guidence on how to answer the following questions.. We are a small / medium company.
- Does your company have a written information security program designed to protect the confidentiality, integrity and availability of our information? If the answer is yes, please note in the adjacent box whether it is recognized by any professional certification such as ISO27001, PCI-DSS AOC, SOC Type II reports, and if so, which one(s).
- Does your company have established controls for assessing and ongoing oversight of the adequacy of your own partners’ / suppliers’ IT Security postures? (Note - Leaning on contractual language / provisions is not the same.)
- Does your company have a formalized, documented Corporate Incident Response policy and a formalized Breach Notification process?
- We do not ....what is the best way to write one up?