6 Steps to a Mature Policy Management Program

6 Steps to a Mature Policy Management Program

When the reality of the pandemic sank in, and people shifted to remote working nearly overnight, companies had to rethink the data and technology policies written for a typical office working space. Some organizations were scrambling to make updates, while others already had a policy management program to guide them through this event. 

A mature policy management program can mean the difference between a chaotic response to rapid change and a seamless, targeted reaction. This article, which originally appeared on the ISACA blog, presents six steps to implementing a policy management framework to meet and maintain compliance across the organization.

What Is Policy Management?

Policy management is the exercise of documenting, distributing, and revising your organization’s point of view on how situations, functional areas, and management functions should operate on a micro and a macro level. Policies can provide a basis point for creating a consistent experience across customers, employees, and the general public by documenting how your organization executes critical activities. Well-written policies also communicate expectations that provide a basis for audit activities and a benchmark for success for the organization.

6 Steps to a Mature Policy Management Program

Following a proven policy development framework allows the organization to know whether or not activities are being addressed timely and consistently. Generally speaking, the policy management process includes six steps:

1. Drafting and Revising Policies

In order to start drafting a new policy or revising an existing policy, there should be a clearly defined purpose and scope of why that policy is being created. Company leaders may use policies to improve security, reduce risk, or change the culture. Other policies are drafted to meet compliance with regulations, standards, or governing authorities. It is important to track revisions, changes, or versions of the policy so that you can always be aware of what policies were in place at any point in time while completing audits and reviews. This also allows you to make sure that the end product is cohesive and understandable while written in a consistent, neutral voice. 

2. Collaborating with Key Stakeholders for Feedback

Collaboration in policy development may include stakeholders in different areas of the organization with a mixture of SMEs and executives. Some organizations form policy committees or governance bodies that represent parts of the business. The committee meets to provide edits and feedback on all policies regularly (e.g., monthly, quarterly, annually). 

3. Obtaining Approval 

Policy approval is generally completed by a policy committee or board with individuals who represent key areas of the business. In many circumstances, the policy committee consists of trusted leaders or stakeholders who can competently approve the content within the policies with standard and consistent guidelines for approving policies.

4. Publishing Policies to the Intended Audience

Policies should be readily accessible in a predictable location. Often, information security teams are asked to identify a centralized location where the intended individuals can find the policies without sharing confidential information. 

5. Training and Gathering Attestations 

Successful policy management is only achieved when those policies are understood across the organization. Some policies are simply posted to an internal website, while others include a training video or presentation. After completing the training, the employee should sign an acknowledgment that they have read and understood the policy.

6. Conducting Periodic Reviews 

As a best practice, all policies should be reviewed at least annually. The policy may need updating due to changes during the year or to address new organizational initiatives. 

Why Does Policy Management Matter?

Policies are one of the driving forces behind the organization’s culture as these define how different functional teams work together to meet broader organizational goals. Embedding the six-step framework into compliance management software helps companies consistently set clear expectations, hold teams accountable, and align organizational responsibilities to strategies. With so much change and uncertainty in the world today, having a mature, technology-enabled policy management program in place may be the advantage you need to thrive.


Molly Mullinger was a Manager of Customer Experience at AuditBoard. Molly joined AuditBoard from EY, where she provided consulting services over regulatory compliance, including SOX compliance, technical accounting matters, and software implementations. Connect with Molly on LinkedIn.


Elliott Bostelman, CDPSE, is a Manager of Compliance Solutions at AuditBoard. Elliott joined AuditBoard from Deloitte, where he provided consulting services over information security management, risk advisory, and GRC implementation & modernization. He also serves in the US Army Reserves, focusing on cyber operations, network defense, and information technology. Connect with Elliott on LinkedIn.