AuditRubric
gv-po-2 high Govern / Policy

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

A policy written two years ago reflects a threat landscape and technology stack that may no longer exist. Regulatory requirements change, new cloud services get adopted, and attack techniques evolve. Policies that are not reviewed become outdated and then quietly ignored, which is worse than having no policy because it creates a false impression of control.

Estimated effort: 3h
policygovernancereviewcompliancemaintenance
Complete first: gv-po-1

Implementation steps

  1. 1

    Schedule an annual policy review

    Put a recurring calendar event on the security owner's calendar to review the cybersecurity policy at least once per year. Also trigger an out-of-cycle review whenever there is a significant change: a major cloud migration, a regulatory update, a significant incident, or a merger or acquisition.

  2. 2

    Review against current threats, regulations, and technology

    During each review, compare the policy against: current threat intelligence, any new regulatory requirements that apply to your industry, recent changes to your technology stack, and lessons from incidents or near-misses in the past year. Document what changed and why.

    confluencenotion
  3. 3

    Publish the updated policy and re-communicate to employees

    When changes are made, update the version number and approval date, get re-approval from the executive owner, publish the revised document, and notify employees of material changes. For significant rewrites, require re-acknowledgment from all employees.

    confluencenotionrippling

Evidence required

Policy version history

Evidence that the policy has been reviewed and updated, showing the date of each revision, what changed, and who approved the update.

  • · Policy document with a change log table showing revision dates and summaries
  • · Version history in the document management system
  • · Git commit history for a policy document stored in a repository

Review meeting records or sign-off documentation

Records showing the policy was actively reviewed (not just unchanged) at least once in the past 12 months.

  • · Annual security review agenda item covering policy review
  • · Email from CISO or executive approving updated policy
  • · Ticket or task marked complete for annual policy review

Related controls

gv-po-1 critical

A cybersecurity risk management policy is established and enforced

Policy
gv-oc-2 high

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Organizational Context
gv-oc-3 critical

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Organizational Context
gv-ov-1 high

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

Oversight