Is there a written information security policy approved by management and reviewed at least annually (Art 21.2.a)?
Demonstrate that a written information security policy exists, has been formally approved by executive or senior management, and is subject to documented annual reviews with evidence of updates or reaffirmation.
Description
What this control does
This control requires the organization to maintain a formally documented information security policy that has received explicit management approval and undergoes structured review at least annually. The policy must articulate the organization's strategic approach to protecting information assets, define security objectives, assign accountability, and establish the governance framework for all subsequent security measures. Under NIS2 Article 21.2.a, this policy serves as the foundational governance document demonstrating leadership commitment to cybersecurity risk management for essential and important entities.
Control objective
What auditing this proves
Demonstrate that a written information security policy exists, has been formally approved by executive or senior management, and is subject to documented annual reviews with evidence of updates or reaffirmation.
Associated risks
Risks this control addresses
- Absence of a security policy results in inconsistent security practices across business units and failure to meet NIS2 compliance obligations
- Lack of management approval enables security teams to operate without executive accountability or resource allocation, undermining program effectiveness
- Policies not reviewed annually become outdated and fail to address emerging threats, new technologies, or changes in regulatory requirements
- Unapproved or ad-hoc security guidance creates liability exposure when incidents occur and management claims no formal responsibility
- Without a foundational policy document, employees lack clear authority and direction for making security decisions during critical incidents
- Regulatory authorities may levy penalties or operational restrictions when NIS2 entities cannot produce evidence of governance-level security commitment
- Absence of periodic review allows policy drift where documented controls no longer match actual operational practices, creating audit failures
Testing procedure
How an auditor verifies this control
- Request the current version of the organization's written information security policy document from the information security officer or compliance team.
- Verify the policy document includes a signature block, approval date, and identification of the approving authority (e.g., CEO, Board of Directors, executive committee).
- Confirm the approving authority possesses sufficient organizational seniority to bind management to security commitments as required under NIS2 Article 21.
- Examine the policy document for an explicit review schedule stating annual or more frequent review intervals.
- Obtain records of policy reviews conducted within the past 12 months, including meeting minutes, approval logs, change requests, or reaffirmation memoranda.
- Interview the policy owner to understand the review process, including who participates, how changes are proposed, and how updated versions are distributed.
- Cross-reference the policy approval date and review dates with organizational calendars to verify the annual review cycle has been maintained without gaps exceeding 12 months.
- Validate that any amendments or updates made during the review period were also formally approved by management through documented authorization.