We have a special policy review process I’m trying to implement in eramba, and would like some recommendation from eramba and community.
We distinguish between review and update. And do it in 2-steps!
The way we do is:
Once a year, shortly after the it-security policy has been approved by the board, we plan review of all our sub-policies and procedures.
This first quick review is only a kind of screening, where I look if it is necessary to update the procedure on behalf on newly changed security policy, new compliance requirements or risk.
If I find something to update I give the procedure a new custom status in the review module: UPDATING PLANNED, and a trigger status like: COMPLIANCE and RISK (multiply dropdown ), and some rationale for the coming update.
Then eventually change who has to do the coming update
And set the next review (update) date. If the update trigger is compliance then the date must be in max 1 month, if it’s a risk reason max 3 month. If there is no update required. The next review date is set 1 year. (shortly after the next it policy aprovement.)
Finally complete the review
Next review (notification) will then be and real procedure update activity
When the procedure is updated, the guy responsible for that gives the procedure an new custom status: UPDATED.
My problem is. How can the guy who has to update the procedure see alle the previus review comments like update trigger and rationale so he can do the right update on behalf ogf the previus review/screening?
Hope somebody has an idea, or other comments