In this process, policies must be validated with all stakeholders of the business. Because an organization’s policies may have serious legal implications, validation requires careful attention to detail. The following table lists the activities involved in this process. These activities include:
Performing policy review.
Reviewing comments and revising policies.
Managing policy configuration.
Table 6. Activities and Considerations for Validating Policies
Perform policy review
Are these policies easy to understand?
Do these policies correctly convey the vision and goals of the business?
Do the policies enforce what you want enforced? Are they effective?
Are these policies in conflict with any vision and goals of your department or area of responsibility?
Will the structure of these policies last for at least two years?
Policy review package
Vision and goal statements of the business
Business continuity plan
Reviewed policies with comments
Before sending policies out for review, make sure they’re ready for the reviewers to see.
Establish focus areas for each reviewer or group of reviewers.
Make sure that policies remain relatively static over time; procedures may change more frequently to reflect modifications to processes, technologies, and organizations.
Review comments and revise policies
Are the comments sufficiently valid to warrant a policy change?
Policy review package with reviewer comments
Prior to the review, decide whose input you absolutely need and whose is optional. Additionally, determine the criteria regarding when an entire team must be involved in a review.
Establish criteria about what types of issues are important enough to change.
Manage policy configuration
Note: Policies should be managed through your organization’s change control process.
Are these policies under change control?
What is the maintenance and review process to be used?