This article provides additional information on how you can meet the requirement for the CAF control - CAF - B1.b Policy, Process and Procedure Implementation
-
Documented policies, processes and procedures must be fully implemented and followed consistently by staff.
-
Policies and procedures should be integrated with wider organisational processes, including HR onboarding, background checks where appropriate, access provisioning, and ongoing assessments of staff trustworthiness. This ensures that security requirements are embedded into day-to-day operations rather than handled in isolation.
-
Policies and procedures must be communicated to all relevant staff and acknowledgement of them tracked. Tracking is done via the read request workflow in Adoptech to maintain assurance that responsibilities are understood.
-
Ownership for each policy, control, test and register must be assigned assigned to ensure accountability and visibility of compliance activities.
-
Monitor the effective implementation and compliance with policies, processes and procedures and report to senior management. Control compliance is monitored in Adoptech.
-
The review and evaluation of the correct application and effectiveness of procedures should be on the agenda for regular security management meetings and include:
-
Non-compliance or breaches, whether individual or aggregated, should be recorded, investigated and addressed promptly. These are recorded via Corrective Actions in Adoptech.
-
Actions should be raised to address the above and may include additional training, process improvements, or technical remediation to prevent recurrence.
-
- An independent assessment should be conducted at least annually to confirm that policies and procedures are consistently implemented and that the associated controls operate effectively.