PPPR-08

Do you have a documented information security policy?

Explanation

This question is asking whether your organization has a formal, written document that outlines your approach to information security. An information security policy is a foundational document that establishes the organization's security objectives, principles, roles, responsibilities, and requirements. Why it's being asked: 1. It demonstrates your organization's commitment to security at a governance level 2. It shows you have a structured approach to security rather than ad-hoc practices 3. It indicates maturity in your security program 4. It's often required for compliance with regulations and standards (like ISO 27001, SOC 2, HIPAA, etc.) The assessor wants to verify that security isn't just implemented through scattered technical controls but is guided by formal policies approved by leadership. This policy typically serves as the foundation for all other security procedures, standards, and guidelines. To best answer this question: 1. Confirm whether you have a documented policy 2. Mention when it was last reviewed/updated (showing it's maintained) 3. Note if it's approved by leadership 4. Briefly mention its scope or key components 5. If applicable, mention any frameworks it aligns with (ISO 27001, NIST, etc.)

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive Information Security Policy that was last updated in March 2023 and is reviewed annually The policy is approved by our executive leadership team and covers areas including access control, data classification, incident response, acceptable use, and compliance requirements Our policy framework is aligned with ISO 27001 standards and is distributed to all employees during onboarding, with annual acknowledgment required The policy is available to all employees via our internal knowledge base, and policy compliance is monitored through our security governance program.

Example Response 2

Yes, we have a documented Information Security Policy that serves as the cornerstone of our security program The policy was established in 2020 and undergoes quarterly reviews by our Security Steering Committee, with the most recent update completed last month The policy addresses risk management, third-party security, data protection, network security, and employee responsibilities It's based on NIST Cybersecurity Framework principles and is supplemented by detailed procedure documents for specific security domains All employees receive training on the policy during onboarding and annual security awareness sessions.

Example Response 3

No, we currently don't have a formal, documented information security policy Our security practices are implemented through various technical controls and team-specific procedures, but we haven't consolidated these into a comprehensive policy document approved by leadership We recognize this gap in our security governance and have initiated a project to develop an information security policy by the end of Q3 We've engaged a security consultant to help draft the policy based on ISO 27001 framework, and our CTO is sponsoring this initiative In the interim, we rely on our technical security controls, employee security training, and departmental security procedures.

Context

Tab
Organization
Category
Policies, Processes, and Procedures

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron