The document is archived and information here might be outdated
Process 6: Review and Maintain Policy
Published: April 25, 2008
Policies are only as effective as the relevance and accuracy of their information; policy violations increase when that information is out of date or doesn’t address what the user is seeking. To ensure that policies stay current and relevant, the organization should schedule regular policy reviews and make adjustments and changes as a result of those reviews. Because policy change often has legal considerations, the process should include documentation indicating that changes have occurred, why they happened, and who approved them.
The following table lists the activities involved in this process. These activities include:
Controlling policy configuration.
Table 9. Activities and Considerations for Reviewing and Maintaining Policies
Is the policy still relevant, accurate, and legal?
Have any laws and regulations changed since the policy was created? If so, what are the implications?
Have certain technologies and processes changed since the policy was created? If so, what implications do they have on risk?
Are there new risks that policies should address?
List of policies requiring modification
Control policy configuration
Are these policies easy to understand?
Do these policies correctly convey the vision and goals of the business?
Are these policies in conflict with any vision and goals of your department or area of responsibility?
Will the structure of these policies last for several years?
Policy review package
Vision and goal statements of the business
Business continuity plan
Policies with comments
Take the time to read a policy aloud to someone who is not acquainted with the subject matter. Strive for the goal of the policy to be understandable in one reading.
Conflict between organizational goals and policy may not be an indicator of a policy problem, but rather ambiguity or conflict with the goals themselves.
Don’t try to resolve this kind of conflict at the policy level; instead, refer the issue to management for review and clarification.
Are the comments valid?
Are the comments sufficiently serious to warrant a policy change?
What is the impact of changing policies?
Commented policy review package
Policy changes have potentially far-reaching and possibly unanticipated consequences. A policy should be constructed so that it is relatively stable; the most frequent changes should occur at the level of procedures.
A policy describes the rules and provides guidelines. Procedures are the means of implementing policy in processes and activities.Ensure that everyone responsible for policy creation and review knows the difference.