Process 6: Review and Maintain Policy

Published: April 25, 2008


Policies are only as effective as the relevance and accuracy of their information; policy violations increase when that information is out of date or doesn’t address what the user is seeking. To ensure that policies stay current and relevant, the organization should schedule regular policy reviews and make adjustments and changes as a result of those reviews. Because policy change often has legal considerations, the process should include documentation indicating that changes have occurred, why they happened, and who approved them.

Activities: Review and Maintain Policy

The following table lists the activities involved in this process. These activities include:

  • Reviewing policy.
  • Controlling policy configuration.
  • Changing policy.

Table 9. Activities and Considerations for Reviewing and Maintaining Policies



Review policy

Key questions:

  • Is the policy still relevant, accurate, and legal?
  • Have any laws and regulations changed since the policy was created? If so, what are the implications?
  • Have certain technologies and processes changed since the policy was created? If so, what implications do they have on risk?
  • Are there new risks that policies should address?


  • Operational policies


  • List of policies requiring modification

Control policy configuration

Key questions:

  • Are these policies easy to understand?
  • Do these policies correctly convey the vision and goals of the business?
  • Are these policies in conflict with any vision and goals of your department or area of responsibility?
  • Will the structure of these policies last for several years?


  • Policy review package
  • Vision and goal statements of the business
  • Business continuity plan


  • Policies with comments

Best practices:

  • Take the time to read a policy aloud to someone who is not acquainted with the subject matter. Strive for the goal of the policy to be understandable in one reading.
  • Conflict between organizational goals and policy may not be an indicator of a policy problem, but rather ambiguity or conflict with the goals themselves.
  • Don’t try to resolve this kind of conflict at the policy level; instead, refer the issue to management for review and clarification.

Change policy

Key questions:

  • Are the comments valid?
  • Are the comments sufficiently serious to warrant a policy change?
  • What is the impact of changing policies?


  • Commented policy review package


  • Revised policies

Best practices

  • Policy changes have potentially far-reaching and possibly unanticipated consequences. A policy should be constructed so that it is relatively stable; the most frequent changes should occur at the level of procedures.
  • A policy describes the rules and provides guidelines. Procedures are the means of implementing policy in processes and activities. Ensure that everyone responsible for policy creation and review knows the difference.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.


Get the Microsoft Operations Framework 4.0

Solution Accelerators Notifications

Sign up to learn about updates and new releases


Send us your comments or suggestions