Documenting policies has always been a major pain point of companies working towards compliance. It can be a lot of work!
The exercise of documenting policies often identifies gaps in the defined processes, and can trigger time-intensive activities beyond just documenting those policy gaps.
Policies are just a way of articulating how things should be done; in order to meet your business goals, satisfy any compliance requirements, and just operate effectively as a company. But because of the pain involved, we see a lot of templates used, even cookie-cutter templates taken off the shelf.
Every business has unique goals, it’s own systems and environment, and ways of operating, so it’s really important to implement policies that fit those. Aside from the risk of being caught out in compliance audits or real operational failures if they don’t fit, it’s also harmful for culture to have policies that don’t reflect the business. It puts doubt in everyone’s mind about the right way to operate, and whether organisational records like policies are reliable, or should be ignored.
So here we’ll cover the best way to work through implementing policies that fit. We’re all for leveraging templates and shortcuts!
Which policies should be documented?
To be clear what we’re talking about, here’s some example policies most businesses should establish:
- Code of Conduct / employee handbooks
- Acceptable Use policies
- Information Security policies
- Risk Management
- Vendor management / Supplier Governance
- Incident Management and Response
- Change management
… to name a few. Some businesses opt for less documents and more topics in each one, whereas others like to break it down into micro policies for each subject matter. It doesn’t matter either way, it’s the overall coverage and what fits the business best, that matters.
What steps should you take to implement your own policies?
Step 1: As a starting point, you can complete a readiness assessment of any compliance standards you’re working towards; now or in the future. That way you have a starting scope of which are relevant. Of course policies are more than compliance, but this supports an informed and appropriately prioritised approach to it. For example if you’re pursuing HIPAA compliance, or CDR accreditation, there’s more prescribed types of policies required. That saves working them around later.
Step 2: Identify a good set of templates, examples or another starting point you can build on. The reason you should always do this, is because starting from a blank canvas is hard. Even if you’re an expert in these areas you’ll find yourself using all your mental energy just to come up with a list of topics and types of information to include, that many others have already worked through previously. Leverage that but take them with a grain of salt and aim to completely change it to fit your circumstances.
Step 3: Cut, adjust and land on a rough starting point. Most templates and examples are more comprehensive than you might need. So when you see things and think, “that’s not overly relevant or important or us”, cut it out. Adjust other parts to fit, for example if it has a password policy but your approach mandates multi-factor authentication as the primary way of ensuring strong access security, then update it to reflect that. As you go you might also find some areas it’s helpful to add more detail like practical considerations, who does what, or new areas that are important to your environment that may not be covered. If you’re spending hours on each policy, then that’s too long and probably not the best way - see the next point.
Step 4: Flag areas you’re unsure, don’t have the answers, or where further work may be required. That’s fine to go live with, it’s just important to differentiate these items from the rest of the policy so it doesn’t cause confusion and it's recognised that it's not set in stone. You should also log areas of process improvement where this exercise identifies gaps or areas that can be strengthened, which is very common.
Step 5: Implement and revise that starting point. All policies should be an evolving reflection of how you do business. They should change and be updated at least annually as the business changes, AND based on the above as you refine how it works in practice. This is particularly relevant and important when implementing policies for the first time. It’s helpful to see live application of the policy and trial what works, before finalising all elements of the policies. Generally auditors and initial compliance reviews will understand that and can accept it as a starting point.
So there you have it; policies that fit, without too much initial time investment in a pragmatic approach to find the right fit and get real value out of policy implementation.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports and certifications (ASAE 3150, SOC 1/2, ISO 27001, CSA STAR, etc.). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.