OR-02 IT Operations & Resilience

IT & Information Security Policies

Baseline expectations are documented and maintained.

Domain: IT Operations & Resilience
Control type: Preventive
Automated / manual: Manual
Frequency: Annual
Framework reference: COBIT APO01; MAS TRM – Governance

What good looks like

A policy suite is approved, communicated and reviewed at least annually.

Risk if it fails

Control gaps and inconsistency.

How Tess tests it

3 tests — each concludes only on cited evidence.

Policy suite comprehensive & approved

Design

Procedure: Inspect the suite.
Expected: Approved policies in place.
Sample: 1 (design inspection)
Evidence: Policy documents, approval/review records.

Policies reviewed within cycle

Operating

Procedure: Inspect review dates.
Expected: Current (reviewed annually).
Sample: 1
Evidence: Policy documents, approval/review records.

Policies communicated

Operating

Procedure: Inspect distribution.
Expected: Communicated to staff.
Sample: 1
Evidence: Policy documents, approval/review records.

Evidence Tess looks for

Policy documents, approval/review records.

More in IT Operations & Resilience

OR-01 IT Governance & Oversight OR-03 IT Risk Assessment OR-04 Asset & Configuration Management OR-05 Regulatory & Compliance Monitoring

Want Tess to test OR-02 against your evidence?