AuditRubric
gv-po-1 critical Govern / Policy

A cybersecurity risk management policy is established and enforced

A policy is the organization's written commitment about how it will handle security risk. Without one, every decision is made ad hoc and inconsistently. A good policy sets the standard against which behavior is measured, gives employees clear guidance, and provides auditors with the foundation they need to assess your program. It does not need to be long, it needs to be real and enforced.

Estimated effort: 8h
policygovernanceacceptable-usecomplianceenforcement
Complete first: gv-rm-2 , gv-oc-1

Implementation steps

  1. 1

    Draft the core cybersecurity policy

    Write a policy that covers: scope (what systems and people it applies to), risk management approach (how risks are identified and treated), acceptable use of company systems, access control requirements, incident reporting obligations, and consequences for non-compliance. Keep the language plain. Employees should be able to read it and know what is expected of them.

    confluencenotiongoogle-docs
  2. 2

    Get executive approval and publish the policy

    Have the policy reviewed by legal and approved by the executive owner of cybersecurity risk. Publish it in a location all employees can access. Include the approval date and the name of the approving authority. An unapproved or unpublished policy is not a policy.

    confluencenotiongoogle-docs
  3. 3

    Require employee acknowledgment and establish enforcement

    Have every employee acknowledge they have read the policy at onboarding and annually thereafter. Define what happens when the policy is violated. Coordinate with HR to ensure violations are handled consistently and that the policy is referenced in employment agreements or handbooks.

    ripplingworkdaybamboohr

Evidence required

Approved cybersecurity policy document

A written, approved, and published policy covering risk management, acceptable use, access control, and incident reporting with a clear effective date and approver.

  • · Information security policy approved by CEO or CISO with date
  • · Acceptable use policy published on the internal wiki
  • · Policy document with version history and approval signatures

Employee acknowledgment records

Evidence that employees have acknowledged the policy, collected during onboarding and on the annual review cycle.

  • · DocuSign or similar e-signature records from each employee
  • · LMS course completion log for policy acknowledgment module
  • · HRIS record showing policy acknowledgment date per employee

Related controls

gv-po-2 high

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

Policy
gv-oc-2 high

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Organizational Context
gv-oc-3 critical

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Organizational Context
gv-oc-1 high

The organizational mission is understood and informs cybersecurity risk management

Organizational Context