Time and time again we have been asked, “Is information security a practice or a policy?” The right answer is that it is both, however it is important to note that the policy must come first.

Often, small to medium size businesses overlook the importance of developing and implementing security policies. The problem is, when the company begins to attract larger clients, many of whom must comply with federal regulations regarding security, such as HIPPA or Sarbanes-Oxley, they are asked questions they may not be able to answer.

Take the time to develop a well thought out and ever evolving information security policy that your company adheres to. An enforced policy leaves little room for ambiguity and is the direct result of known and unknown risks.

A best practice is to conduct annual reviews and trainings of this critical governance control to ensure that the policy is not just a recommendation, but a guideline to which all employees, contractors and partners adhere. Security reviews as part of a SOC 1 or SOC 2 attestation engagement are one way to ensure that your information security policy and practices are up to date and meet industry standards.

To learn how Auditwerx can improve your information security policy and practices, contact us today.