GV.PO-02.057
Does your organization have a process to update security policies in response to changes in technology adoption (e.g., AI) and business changes (e.g., acquisitions, new contract requirements)?
Explanation
Security policies must evolve alongside technological and business changes to remain effective. When organizations adopt new technologies like AI, cloud services, or IoT devices, or undergo business changes such as mergers, acquisitions, or new client contracts with specific security requirements, existing policies may become inadequate or outdated. Without regular updates, security gaps can emerge that leave the organization vulnerable to new threats or compliance issues. Evidence of fulfillment could include a documented policy review schedule, change management procedures that include security policy updates, meeting minutes from policy review sessions, or version-controlled security policies with revision histories showing updates in response to specific technological or business changes.
Implementation Example
Update policy to reflect changes in technology (e.g., adoption of artificial intelligence) and changes to the business (e.g., acquisition of a new business, new contract requirements)
ID: GV.PO-02.057
Context
- Function
- GV: GOVERN
- Category
- GV.PO: Policy
- Sub-Category
- Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
