Nothing is constant in this world. The environment, vulnerabilities and business models are continuously changing. So, it becomes important to continually review the information security policy.

Information security policy should be continually monitored with respect to continuing suitability, adequacy and effectiveness. To ensure the effectiveness of information security policy, a formal information security review and evolution process can be created which measures the levels of effectiveness for each of the 133 controls. If some controls are not implemented with effectiveness, then impact analysis should be done. Impact analysis should be done while considering risks to environment, organization and business models.

Management review and approval records for the review of information security policy should be maintained.

Following actions can result in review and evolution of information security policy document:

• Changes in information systems
• Change in Environments – Technical / organizational
• Change in Operational Processes
• New Business Objectives / Models
• New known vulnerabilities
• Resource Availability
• Change in Contractual, Statutory, Regulatory and Legal requirements / conditions
• Findings of Management Review
• Preventive & Corrective Actions
• Feedback from all interested parties & authorities
• Reviews within a team / workgroup
• Trends related to risks / threats / vulnerabilities
• Reported information security incidents

Important questions to be answered while implementing this control:

• Is owner or owners are identified for information security policy document and process who is responsible for development, review & evaluation and updating of policy document?
• How often is the information security reviewed for effectiveness and applicability?
• Does the management engage qualified external matter experts to review the information security policy?
• Does the policy owner operate from a defined and documented review process to revise and update the policy?
• How are qualifying events reviewed to determine if a policy revision or update is required?
• Is a formal management approved process is required for policy changes and updates?
• Is the revised policy reviewed and approved from senior management?
• Are the records of management review are available?

The management should provide support and a clear policy direction across the organization in the form of a written business document for information security. Management must communicate information security policy to all employees and relevant parties including consultants, contractors, vendors, business partners etc.

The information security document can be merged with some other policy document. A formal process can be developed for the communication of information security policy document. Effective information security policy document contains clear strategy and a series of well defined goals. Important questions to be answered while implementing this control:

• Is there a formal information security document published by management representing the business, legal, contractual and regulatory requirements of the organization?
• Does the security policy contain the definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing?
• Is the information security document made available to all employees and users including third parties of the organizations information systems?
• How is the policy communicated to all affected parties and what is the frequency of communication?
• Does the information security policy document address the business objectives of the organization?
• Does the information security policy document account for all applicable laws, regulations and contractual requirements?
• Is there a documented structure for risk assessment and risk management within the body of information security policy?
• Does the information security policy document represent the all applicable 11 control areas within the standard?
• Does the information security policy document contain explanation about information security education, training, and awareness requirements?
• Does the information security policy document contain explanation about business continuity management?
• Does the information security policy document contain explanation about consequences of information security policy violations?
• Does it describe the roles and responsibilities for information security management and reporting information security incidents?
• Does the information security policy document reference other policies, standards or control procedures as appropriate?

Management interaction and support is mandatory for this control to be fully effective. Apart from funding support, cultural support is very important. This is critical for helping build cultural standards or models within the organization and gaining the acceptance of individual users and groups.

Please note: Information security policy addresses that what must do. It does not address how to do it. A number of processes/procedures/guidelines should be developed to support the information security policy document.