Does your organization require personnel to formally acknowledge receipt and understanding of security policies at onboarding, annually, and after policy updates?
Explanation
Regular acknowledgment of security policies ensures employees remain aware of their security responsibilities and any changes to those responsibilities over time. This practice creates accountability and helps establish a culture of security awareness throughout the organization.
Evidence could include screenshots of your policy management system showing acknowledgment timestamps, a sample of signed policy acknowledgment forms, or reports from your learning management system showing completion rates of policy acknowledgment tasks by employees.
Implementation Example
Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated
ID: GV.PO-01.053
Context
- Function
- GV: GOVERN
- Category
- GV.PO: Policy
- Sub-Category
- Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
Related questions
- Has your organization established and communicated a formal risk management policy that clearly articulates management's intent, expectations, and direction?
- Does your organization have a process to regularly review and update cybersecurity policies and procedures to ensure alignment with your risk management strategy and overall cybersecurity objectives?
- Does your organization require formal approval from senior management for all security policies?
- Has your organization formally documented and communicated its cybersecurity risk management policy, processes, and procedures to all relevant stakeholders?
- Does your organization regularly update cybersecurity policies based on risk management review results to maintain acceptable risk levels?
- Does your organization have a documented timeline for reviewing and updating security policies in response to changes in the risk environment or mission objectives?

