Quality Assurance

This control is related to Management.

Nothing is constant in this world. The environment, vulnerabilities and business models are continuously changing. So, it becomes important to continually review the information security policy.

Information security policy should be continually monitored with respect to continuing suitability, adequacy and effectiveness. To ensure the effectiveness of information security policy, a formal information security review and evolution process can be created which measures the levels of effectiveness for each of the 133 controls. If some controls are not implemented with effectiveness, then impact analysis should be done. Impact analysis should be done while considering risks to environment, organization and business models.

Management review and approval records for the review of information security policy should be maintained.

Following actions can result in review and evolution of information security policy document:

• Changes in information systems
• Change in Environments – Technical / organizational
• Change in Operational Processes
• New Business Objectives / Models
• New known vulnerabilities
• Resource Availability
• Change in Contractual, Statutory, Regulatory and Legal requirements / conditions
• Findings of Management Review
• Preventive & Corrective Actions
• Feedback from all interested parties & authorities
• Reviews within a team / workgroup
• Trends related to risks / threats / vulnerabilities
• Reported information security incidents

Important questions to be answered while implementing this control:

• Is owner or owners are identified for information security policy document and process who is responsible for development, review & evaluation and updating of policy document?
• How often is the information security reviewed for effectiveness and applicability?
• Does the management engage qualified external matter experts to review the information security policy?
• Does the policy owner operate from a defined and documented review process to revise and update the policy?
• How are qualifying events reviewed to determine if a policy revision or update is required?
• Is a formal management approved process is required for policy changes and updates?
• Is the revised policy reviewed and approved from senior management?
• Are the records of management review are available?