Information Security Policy

Why it matters

Without a formal, board-approved security policy, management's security expectations remain unclear and inconsistent, leading to widespread non-compliance, uncoordinated incident responses, and failure to meet regulatory expectations. A weak policy also leaves the organization vulnerable to claims that security failures were due to lack of direction rather than execution gaps.

Evidence to collect

• Master Information Security Policy document signed by CEO/Board with publication date and version control
• Staff acknowledgement log or tracking report showing annual sign-off (names, dates, completion rate)
• Hyperlinked policy document showing references to supporting policies (Access Control, Incident Response, Data Classification, etc.)
• Communication record (email, intranet post, LMS enrollment) showing policy distribution to all staff with dates

Testing procedure

Retrieve the current master security policy and verify CEO or board-level signature/approval. Confirm the policy is publicly accessible to all staff (intranet, handbook, LMS). Select a random sample of 20+ employees from different departments and confirm they have signed annual acknowledgement within the past 12 months; document sign-off dates. Trace policy references to at least three supporting policies (e.g., Access Control, Incident Response, Data Classification) and verify they exist and are current.

Common gotchas