GOV-001 Information Security Policy
Description
A documented information security policy exists, has been approved by management, communicated to all personnel, and is reviewed at defined intervals and upon significant changes. The policy establishes the organization's direction, scope, and commitment to protecting information assets.
Rationale
A formally approved and communicated policy is the foundation for all information security controls. Without it, there is no organizational baseline against which compliance and deviation can be measured.
Framework Mappings (6)
| GRC-01 | Governance Program Policy and Procedures | full |
| GRC-03 | Organizational Policy Reviews | partial |
| GDPR-Art.24 | Controller Responsibility and Demonstrable Compliance | partial |
| 5.1 | Policies for information security | full |
| PL-1 | Policy and Procedures | partial |
| CC5.3 | COSO Principle 12: Deploys Through Policies and Procedures | partial |
Evidence (2)
Information security policy document, management-approved, with revision date and distribution record.
Example: Information Security Policy v2.3 (Confluence page or Google Drive doc), showing named approver (e.g. CISO), approval date, and a distribution record such as an all-staff email or intranet announcement.
Test: Request the current information security policy document. Verify: (1) a named approver and approval date appear on the document and the date is within the last 12 months, (2) a defined scope statement is present, (3) evidence of distribution exists — confirm via email send record, intranet post, or signed acknowledgement log.
Management review record showing the information security policy was formally reviewed at the most recent scheduled interval.
Example: Management review meeting minutes (Google Doc or Confluence) or a completed policy review workflow ticket (Jira/ServiceNow) dated within the last 12 months, with a named reviewer and disposition (approved / revised).
Test: Request the most recent policy review record. Verify: (1) review occurred within the defined interval (typically 12 months), (2) a named reviewer or approver is recorded, (3) if changes were made, a new version exists with updated approval date.
Questions (2)
Does your organization have a documented information security policy that has been approved by senior management?
The policy should carry a named approver (e.g. CISO or CEO), an approval date within the last 12 months, and a defined scope statement.
How frequently is your information security policy formally reviewed and re-approved?
ISO 27001 and SOC 2 expect at minimum an annual review. Look for a review record (meeting minutes or a workflow ticket) dated within the required interval.