When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during planned policy reviews or event-driven reviews after significant changes.
| Review question | Yes/No | Notes | Action required |
|---|---|---|---|
| Is the policy still aligned with the ISMS scope? | |||
| Is the policy still aligned with current risks? | |||
| Have there been incidents requiring updates? | |||
| Have there been new vulnerabilities or threats? | |||
| Have there been technology changes? | |||
| Have there been legal, regulatory, or contractual changes? | |||
| Have there been organizational changes? | |||
| Are responsibilities still accurate? | |||
| Are references to supporting documents still valid? | |||
| Is the policy clear and understandable? | |||
| Is implementation still cost-effective and proportionate? | |||
| Are communication and acknowledgement requirements defined? | |||
| Does the policy need revision? | |||
| Has the review been recorded? |
- Template
- Policy
- Review
- A5 1
Note Metadata
Aliases: Policy Review Checklist
Source: 90 Templates/Policy Review Checklist.md
Related Notes
- Information Security Policy
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- ISO 27001 A.5.37 - Documented Operating Procedures
- A.5.1 Audit Evidence Pack
- A.5 Organizational Controls Implementation Guide
- Templates MOC