The Policy maturity level requires examination of current, documented information security policies or standards within the Assessed Entity’s information security program to determine if they fully address the elements within the requirement statements for the scope of the assessment. Scoring is based upon whether the Assessed Entity’s policies are not defined, undocumented, or documented for each of the corresponding requirement statement evaluative elements.
9.1.1. A documented, up-to-date (see Chapter 11.3 Working Papers & Evidence for evidence timeliness requirements) policy must specify the mandatory nature of the requirement statement’s elements in a written format. This information may reside in a document identified as a policy, standard, directive, handbook, etc.
9.1.2. The identified policy(s) must cover all facilities and operations and/or systems within scope of the assessment.
9.1.3. Undocumented policies are those that are:
(i) Well-understood by those required to implement them and / or adhere to them,
(ii) Consistently observed*, and
(iii) Unwritten.
(*Consistently observed can be interpreted to indicate that it was visually seen by the External Assessor during fieldwork and/or evidence was inspected during implementation testing.)
For additional information on assessing the appropriateness of policies, see Appendix A-10: Policies & Procedures FAQs & Examples.