Question: Is there a formally approved enterprise information security policy reviewed at least annually?
Objective — Why This Matters
A living, approved policy sets the baseline for controls, reduces audit friction, and clarifies “how we work securely.” For MSMEs, short and precise beats long and unread.
Maturity Levels (0–5)
0 — Unaware
No policy or an outdated draft.
No policy or an outdated draft.
1 — Ad Hoc
Policy exists but not approved or communicated.
Policy exists but not approved or communicated.
2 — Defined
Approved policy; employees can find it; annual review scheduled.
Approved policy; employees can find it; annual review scheduled.
3 — Managed
Sub-policies mapped; changes tracked; attestations captured.
Sub-policies mapped; changes tracked; attestations captured.
4 — Integrated
Policy tied to risk assessments and audits; metrics reported.
Policy tied to risk assessments and audits; metrics reported.
5 — Optimized
Continuous improvement; versioned and benchmark-aligned.
Continuous improvement; versioned and benchmark-aligned.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Publish a 4-6 page policy covering scope, roles, access, monitoring, IR, vendors. |
| 1 → 2 | Get formal approval; record version/date; post in intranet; notify staff. |
| 2 → 3 | Add change log; map to sub-policies (e.g., access, backup, logging); collect annual attestations. |
| 3 → 4 | Link policy to risk/audit findings; set KPIs (review cycle adherence). |
| 4 → 5 | Benchmark against ISO/NIST yearly and update with rationale. |
People / Process / Technology Enablers
- People: Policy owner; approver; Legal/HR reviewer.
- Process: Policy lifecycle SOP; annual review calendar.
- Technology: Version control (git); e-signature for attestation.
Evidence Required
- Current approved policy PDF + change log.
- Proof of staff notification and access stats.
- Attestation report (completion %).
Metrics / KPIs
- Policy review on time (Y/N).
- Attestation completion rate.
- Number of deviations/exceptions approved.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Versioning | GitHub | Pull requests = approvals; tags = versions. |
| Attestations | Google Forms | Collect annual “read & understood.” |
| Publishing | GitHub Pages | Public or internal hosting. |
Common Pitfalls
- Policy written like a textbook; nobody reads it.
- Policy not mapped to procedures/controls.
- No evidence of approval or review cycle.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | 5.2; Annex A mapping |
| DPDP Act 2023 | Sec 9 duty alignment |
| NIRMATA Scoring | GL-Q03 requires approved policy + annual review proof. |