Answer yes if all of your organisation's security policies are reviewed and approved by senior management.
What is it?
Information security policies should be regularly updated to keep pace with internal and external developments as well as lessons learned. Since policies should always have senior management oversight and approval in order to be supported, any changes should also be reviewed and approved at the senior management level.
Why should I have it?
Updating your policies is not enough, you must achieve demonstrable continued support for those evolving policies. This ensures their enforceability and reassures potential clients that your security is evolving with the organisation and outside threats.
Your organisation’s security programme should be formally commissioned by your senior management team. When having it commissioned, ensure that annual review and reapproval processes are included.
That said, this should be mindful of the management team’s time and level of expertise. Only higher-level policies would typically be reviewed and approved at this level. Ensure that it is well documented which policies are in scope.
Note that annual reviews are an arbitrary frequency. Some organisations review less frequently and others even more frequently. An annual frequency is however the duration most organisations and standards most commonly look for. Whatever the frequency, ensure it is documented and justified.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.