GRC-03: Organizational Policy Reviews

PF v1.0 References:

Previous Version:

Control Statement

Review all relevant organizational policies and associated procedures at least annually or when a substantial change occurs within the organization.

Implementation Guidance

Management-approved defined policies and procedures should be communicated to all employees for adherence. Evaluate policies, procedures, and assigned responsibilities for accuracy and efficacy at least annually and when there are significant internal changes or alterations in the external operating environment.

Auditing Guidance

  1. Examine the policy and/or procedures related to the Enterprise Risk Management (ERM) program to determine if the organization reviews these documents at least annually or when a substantial change occurs within the organization.
  2. Confirm that Policy reviews have taken place in compliance with the organization's review requirements and that any exceptions identified are investigated and remediated.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.