iso27diy-corp/Corpus/ISMS/Triggers for Reviews of Policies.md

Triggers for Reviews of Policies

From A 5.35, Independent review of information security:

The organization should consider conducting independent reviews when:

a) laws and regulations which affect the organization change;

b) significant incidents occur;

c) the organization starts a new business or changes a current business;

d) the organization starts to use a new product or service, or changes the use of a current product or service;

e) the organization changes the information security controls and procedures significantly.

ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance for carrying out independent reviews.

From NotebookLM

The source documents specify several explicit triggers that necessitate the review and updating of an organization's policies, particularly the main information security policy and supporting topic-specific policies.

Key triggers for policy review include:

1. Significant Changes

Both the overarching organizational information security policy and specific topic-specific policies must be reviewed when significant changes occur.

Specifically, management should review and update information security policies in response to changes in:

• Regulations, statutes, legislation, and contracts.
• The organization's business strategy.
• The organization's technical environment.
• Information security risks.
• The current and projected information security threat environment.
• The organization itself, such as starting a new business or changing a current business.
• Products or services, such as starting to use a new product or service, or changing the use of a current one.
• Information security controls and procedures, if they change significantly.

The requirement for independent review of the organization's approach to managing information security (which includes policies) is also triggered when significant changes occur.

### 2. Planned Intervals

In addition to being reviewed when significant changes occur, policies must be reviewed at planned intervals.

• The information security policy and topic-specific policies should be reviewed at planned intervals.
• Confidentiality or non-disclosure agreements should be regularly reviewed.
• The organization's approach to managing information security (which includes policies) should be reviewed independently at planned intervals.
• Compliance with the organization’s policies, rules, and standards should be regularly reviewed.

3. Incidents and Learning

Feedback from incidents and assurance activities also triggers policy review:

• The review should be built on lessons learnt from information security incidents.
• Lessons learned from information security events and incidents should be taken into account during the review of the information security policy and topic-specific policies.
• The evaluation of information gained from information security incidents should be used to update the organization's information security risk assessment and determine and implement necessary additional controls. This necessitates policy review if control changes are determined.
• The organization should consider conducting independent reviews when significant incidents occur.

4. Management Activities and Audits

Policy reviews are integrated into the management system framework:

• Review and update of policies should take the results of management reviews and audits into account.
• The management review inputs include considering changes in external and internal issues (relevant to the ISMS scope), and changes in needs and expectations of interested parties (relevant to the ISMS), which inherently requires reviewing the policy for continuing suitability.

When a policy is changed, review and updates of other related policies should be considered to maintain consistency.