How frequently should the policy for ICT security be reviewed?

2.7k views2 Comments

Sort by:

Sr. Mgr. Enterprise Risk in Manufacturinga year ago

While we are not subject matter experts specific IT / ICT within our company, in general from a governance/policy perspective and best practice it would be common to review policies annually (even though no revisions may be required) or when certain events occur that may trigger a review or update (i.e. org restructure, new internal controls, new procedures, etc.)

Information Security Analyst in Governmenta year ago

Common industry best practice is to review security policies and procedures at least annually. However, organizations should also review and update their policies whenever there are major changes, such as:
- Compliance with new laws and regulations (e.g. recent launch of PCI 4.0, GDPR, new cybersecurity regulations etc..)
- Experiencing a data breach or other security incident
- Adopting new technologies or business processes
- Changes in organizational leadership or structure
- Identification of new security threats or risks

Guidance from NIST as per Special Publication 800-53
- Review and update the access control policy and procedures at an organization-defined frequency
- Develop, document, and disseminate security policies and procedures to relevant personnel
- Ensure security policies and procedures are sufficiently current to accommodate the information security environment and agency mission and operational requirements

Content you might like

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

How long does your organization retain original systems logs used to filter SOX-related actions into a system that requires review of the logs and retains the filtered logs for seven years? Does your organization consider those original system logs records subject to record retention requirements, or supporting information used to create the SOX records?

90 Days15%

365 Days47%

3 years24%

5 years9%

7 years6%

Other (share in the comments)

View Results

If two RFP bids are neck-to-neck on core requirements, which factor becomes the ultimate tie-breaker?

Proven outcomes – Documented success stories and measurable KPIs38%

Implementation confidence – Detailed plan, risk mitigation, and resource readiness55%

Total cost – Clear TCO, price protections, and exit terms38%

Innovation & future readiness – Ability to scale, adapt, and support emerging needs17%

Vendor relationship strength – Cultural fit, governance model, and executive commitment14%

View Results

How frequently should the policy for ICT security be reviewed?

Sort by:

Content you might like

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

If two RFP bids are neck-to-neck on core requirements, which factor becomes the ultimate tie-breaker?

Which key pentesting capability do current AI-driven vendor solutions most fail to cover?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

2024 Product Management Priorities and Challenges

Data-Driven Customer Experience: Uniting D&A and CX Teams

Navigating Economic Uncertainty in 2024: IT Leader Perspectives

Take Your Insights On-the-Go