Policy Checklist 

by John Bandler

Here is a checklist to help you review internal governance documents of your organization, such as policies, standards, and procedures. These documents could relate to cybersecurity, privacy, incident response, or any other subject that the organization needs to create written internal rules for.

I have built out many resources on policies and procedures, see references at bottom.

Big picture

Looking at the big picture, policy and procedure documents should do a few general things:

  • Help the organization accomplish its mission
  • Protect the organization
  • Keep the organization in compliance.

Details

  1. Initial information and summary (before your first read-through)
  2. Full name of document, e.g.
    • Information Security and/or Cybersecurity Policy
    • Incident Response Plan
    • Privacy Policy
    • Information Security Standards
    • Etc.
  3. Summarize the primary purposes of document
  4. Summarize the intended audiences (e.g. all employees, selected employees, customers/clients/consumers, regulators, insurance, etc.)
  5. Summarize the length (e.g. pages, words) and level of detail. How long a read do you think it is?  (average reading time is 200-250 words per minute)
  6. Summarize information about current version, who manages it, who implements it, etc.
  7. Are there initial concerns expressed regarding the document? (e.g. from organization, regulator, etc.)
  8. What laws and regulations apply to the organization relating to this document?
  9. First read through and initial questions (Read through the policy one time, all the way through)
  10. Summarize your initial impression after reading it through once.
  11. Summarize your initial questions after reading through it once.
  12. Overall, is the document helpful, practical, clear, and current?
  13. How long did it take you to read it?
  14. Big picture
  15. Does it establish the internal rules we want the organization and employees to follow?
  16. Is it helpful for the organization and employees?
  17. Is it the right compromise between length and brevity, generality and specificity?
  18. Cross reference
  19. Does it align with with relevant external rules (laws/regulations)? Where appropriate, does it name them?
  20. Does it align with helpful external guidance? Where appropriate, does it name them or point to additional resources?
  21. Is it consistent with other internal documentation? Does it point to relevant internal resources?
  22. Is there anything that conflicts with external rules, best practices, or other internal rules?
  23. Details and specific
  24. Does the document name adequately describe the general subject matter?
  25. Does the document name properly describe the type of governance document this is? (e.g. policy, standard, procedure, plan). The substance should properly match the name. E.g. a policy should be more general, a procedure should be more detailed, etc.
  26. Is length and level of detail appropriate for purpose and audience?
  27. Is version information readily available, including revision and approval date?
  28. Has it been reviewed or updated recently?
  29. Was it reviewed/updated recently?
  30. Is review/update history apparent or otherwise available?
  31. Does it indicate who is responsible for maintaining, implementing, and approving the document?
  32. Does it indicate the classification of the document?
  33. Does it establish or identify internal governance mechanisms?
  34. Overall, is the document helpful, practical, clear, and current?
  35. Is it readable and understandable for intended audiences?
  36. Is it written clearly?
  37. Is it practical?
  38. Is it well-organized?
  39. Is it modular?
  40. Are important points stated clearly and properly emphasized?
  41. Does the document establish what are mandatory rules for employees to follow, and that there could be discipline for failing to follow those rules.
  42. Input, advice, and stakeholders
  43. Did it need or obtain a legal review?
  44. Did it need input and review from relevant stakeholders, employees, and departments?
  45. Did it need and receive review and input from experts in the subject?
  46. Did it need and receive review and input from relevant members of the intended audience, including those charged with implementing it?
  47. Did it receive input and support from higher level management?
  48. Implementation
  49. Has it been read by necessary members of the organization?
  50. Do employees need training on the document?
  51. Does the organization need receive assurances from each employee that they read the document and will abide by it?
  52. Is it followed by the organization and relevant members?
  53. Is there any doubt within the organization or by employees as to whether the document is in effect and enforced? In other words, does anyone believe the document is just "on paper" or "for show" but not really in effect?
  54. Cross reference part 2 - Big picture of internal governance
  55. Is this document the right length and scope compared to other internal governance documents which may be related? Should documents be split or merged? For example, maintaining or navigating a single, large governance document can be burdensome, but so can maintaining or navigating dozens of separate, shorter governance documents.
    • Grouping appropriate subjects together reduces the number of documents, assuming document length is manageable.
    • Keeping policies general means less frequent revisions are needed, and reduces the burden on high-level management to review and approve.
    • Keeping procedures specific ensures more frequent changes can be done and at a lower level of approval than a policy.
  56. Is governance document review and update an integrated component of organization management, such that documents accurately reflect management directives?
  57. Other matters?
  58. Consider other details or general areas not listed above. No policy is perfect, and neither is any checklist (including this one).

Conclusion

This is some thoughts to guide your review, and is for myself, students (including learners in my CIPP/US course), clients, potential clients, and anyone else in need of information. It is not legal advice nor consulting advice, and is not tailored to your circumstances, and does not attempt to detail every point to consider nor all circumstances. Feel free to contact me if you have additions or suggestions.

If your organization needs help with creating or improving your policies, complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity.

Additional Reading

This article is hosted at https://johnbandler.com/policy-checklist, copyright John Bandler, all rights reserved.

Posted 11/20/2021. Updated 7/20/2022.