11.1.1 All security policies and operational procedures that are identified in Requirement 11 are:

Defined Approach Requirements

11.1.1 All security policies and operational procedures that are identified in Requirement 11 are:

• Documented.
• Kept up to date.
• In use.
• Known to all affected parties.

Customized Approach Objective

Expectations, controls, and oversight for meeting activities within Requirement 11 are defined, understood, and adhered to by affected personnel. All supporting activities are repeatable, consistently applied, and conform to management's intent.

Defined Approach Testing Procedures

11.1.1 Examine documentation and interview personnel to verify that security policies and operational procedures are managed in accordance with all elements specified in this requirement.

Purpose

Requirement 11.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 11. While it is important to define the specific policies or procedures called out in Requirement 11, it is equally important to ensure they are properly documented, maintained, and disseminated.

Good Practice

It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For this reason, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.

Definitions

Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.