A policy by definition is “a definite course of action”.
In the workplace, policy is used to govern the business. Policies communicate the values and vision of the organization, and ensure employees understand what is expected of them in certain situations.
Management uses policy to govern the operations of the business. Policy can be very rigid, formal, well-documented and readily available to personnel. Alternately, policy can be loose, informal, undocumented and perhaps limited to a specific audience.
Regardless of which compliance framework your organization follows, there is no escaping the need to have formally documented policies. From a SOC 2, PCI, or ISO27001 perspective, having well-thought out policies helps to demonstrate that management has considered the risks and has taken a course of action to address it.
Throughout my years of auditing, I’ve observed several situations where the role of policies were undervalued and treated as an afterthought. Policies get a bad rap for being a book of rules. However, policies are more than rules. Policies, if effectively written and shared, are deliberate communications to members of your organization on how business is done and how to ensure safety. They set the tone and help shape the culture of a company and should clearly communicate what is acceptable and unacceptable.
When it comes to audits, policies are at the top of any request list. Auditors start at policy and then evaluate the underlying processes and controls to determine whether these activities are inline with policies. If there are discrepancies, the root cause is either an outdated policy or a poorly managed process that exposes the organization to risk.
Policies must be actively maintained. As businesses evolve so should their policies. Policies should be evaluated at least annually to ensure their effectiveness and applicability. To ensure proper maintenance, policies should be assigned ownership, reviewed annually, updated as needed and approved by an organization’s management and board of directors.