12.1.2 The information security policy is:

Defined Approach Requirements

12.1.2 The information security policy is:

• Reviewed at least once every 12 months.
• Updated as needed to reflect changes to business objectives or risks to the environment.

Customized Approach Objective

The information security policy continues to reflect the organization's strategic objectives and principles.

Defined Approach Testing Procedures

12.1.2 Examine the information security policy and interview responsible personnel to verify the policy is managed in accordance with all elements specified in this requirement.

Purpose

Security threats and associated protection methods evolve rapidly. Without updating the information security policy to reflect relevant changes, new measures to defend against these threats may not be addressed.

Good Practice

Regular review of the information security policy helps ensure it remains current with emerging threats, changes to organizational systems and processes, and changes to business objectives.

Periodic reviews should be conducted to ensure the policy continues to address all applicable regulations, standards, and legal requirements.

When significant changes occur to the business or IT environment, consider performing an additional review of the information security policy outside of the regularly scheduled review.

Definitions

The information security policy defines the entity's security objectives and principles. It provides the strategic direction for security measures implemented by the organization and defines how security is managed within the organization.

Further Information

Refer to industry standards and the PCI DSS standard for further information on requirement 12.1.2.