How frequently should the policy for ICT security be reviewed?

2.7k views2 Comments

Sort by:

Sr. Mgr. Enterprise Risk in Manufacturinga year ago

While we are not subject matter experts specific IT / ICT within our company, in general from a governance/policy perspective and best practice it would be common to review policies annually (even though no revisions may be required) or when certain events occur that may trigger a review or update (i.e. org restructure, new internal controls, new procedures, etc.)

Information Security Analyst in Governmenta year ago

Common industry best practice is to review security policies and procedures at least annually. However, organizations should also review and update their policies whenever there are major changes, such as:
- Compliance with new laws and regulations (e.g. recent launch of PCI 4.0, GDPR, new cybersecurity regulations etc..)
- Experiencing a data breach or other security incident
- Adopting new technologies or business processes
- Changes in organizational leadership or structure
- Identification of new security threats or risks

Guidance from NIST as per Special Publication 800-53
- Review and update the access control policy and procedures at an organization-defined frequency
- Develop, document, and disseminate security policies and procedures to relevant personnel
- Ensure security policies and procedures are sufficiently current to accommodate the information security environment and agency mission and operational requirements

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

If two RFP bids are neck-to-neck on core requirements, which factor becomes the ultimate tie-breaker?

Proven outcomes – Documented success stories and measurable KPIs36%

Implementation confidence – Detailed plan, risk mitigation, and resource readiness49%

Total cost – Clear TCO, price protections, and exit terms39%

Innovation & future readiness – Ability to scale, adapt, and support emerging needs14%

Vendor relationship strength – Cultural fit, governance model, and executive commitment14%

View Results

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

What’s your top barrier to adopting AI-driven pentesting?

Lack of mature vendor solutions47%

Trust in AI accuracy65%

Budget constraints18%

Skills to operate the tools25%

View Results

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

How frequently should the policy for ICT security be reviewed?

Sort by:

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

If two RFP bids are neck-to-neck on core requirements, which factor becomes the ultimate tie-breaker?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

What’s your top barrier to adopting AI-driven pentesting?

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go