Back to

Organizational Policy Review


This methodology explores existing organizational practices, informal agreements, and policies around managing information security and responding to threats. It also seeks to reveal presumptions made within the organization which are neither shared (informal or no) nor codified in policies.


Many smaller organizations do not have formal policies around information security. This is not inherently a good or bad thing, as in their place are often informal agreements and practices. The goal of this component is to reveal any presumptions that are not shared, and help set more formalized agreements across the organization, and to cross-verify these policies, practices, guidelines, and informal agreements with what is actually taking place (generally using activities from data assessment and device assessment methodologies).

  • Identify what (if any) baseline policies or informal agreements exist to respond to common information security and business continuity challenges
  • Clarify any presumptions being made but not effectively shared
  • List of existing agreements and gaps?
  • Resources to formalize/expand agreements to policies
  • Onboarding checklist (entry/exit policies?)

Guiding Questions

    • Are there documented policies or practices, including any employee onboarding guidance?
    • What is the level of formality of the security practices in place? are verbal conventions, written documents or something in between?
    • What is the understanding by the management and/or staff on common security practices?
    • Are there presumptions being made by some staff which are not shared?
    • How are any of these implemented / required / verified within existing organizational practice?

    Specific aspects to explore are:

    • Password expectations (password management, complexity, requirements
    • entry/exit policies and account management
    • information classification that limits access (e.g. who has access to financial data? partner data?)
    • Backups
    • Acceptable use policies (what can and cannot staff do with their work devices)
    • Travel policies (VPN usage, etc.)

Operational Security

Storage: Store documents and files received in secure and encrypted volumes or disks. Be aware of (and avoid using) any insecure temporary locations.

Communication: Utilize secure communication channels to receive policies and discuss them.


    If (through interviews or even the audit agreement process); you have received copies of policies, a thorough review of the written policies is required to assess if they are being followed, enforced, or have changed since being formalized.


    • List of existing agreements and policies and their gaps
    • Resources to formalize/expand agreements to policies
    • Providing initial support to help the organization decide on and agree to baseline guidance around critical digital security controls, such as an Onboarding checklist, entry/exit policies, etc

References and resources for Organizational Policy Review