Skip to main content
All CollectionsDocumentation and Evidence Collection10 | Policy acceptance
What policies do my employees need to accept on Secfix
What policies do my employees need to accept on Secfix
Fabiola Munguia avatar
Written by Fabiola Munguia
Updated over 5 months ago

After you uploaded your policies to Secfix, you can choose which policies should be mandatory for specific groups of employees.

Mandatory policy reviews

There are three policies of that necessitate comprehensive review by all personnel within your organization.

๐Ÿ“POL-2: Information Security Management System (ISMS)

  • Defines a systematic approach to managing sensitive company information, protecting its confidentiality, integrity, and availability through a structured framework of policies, processes, and controls.
    -> Reviewing it ensures that information security risks are effectively managed, compliance with relevant standards is maintained, and continuous improvement is achieved.

๐Ÿ“POL-4: Information security & acceptable use

  • Governs appropriate and secure use of technology resources.

  • Clarifies rules and guidelines for protecting sensitive information.

    -> Reviewing it promotes awareness, reduces security risks, and ensures compliance.

๐Ÿ“POL-17: Incident management

  • Defines how the organization deals with incident management.

  • Displays report channels for incident reporting.

    -> Reviewing it promotes reporting channels/emails that can be used by employees and how to behave in case incidents happen.

Tailored policy reviews

Reviewing policies raises ISO compliance awareness, clarifies employees' roles, and communicates policy updates. However, not all policies are relevant to every employee due to tailored roles and confidentiality.

For example, the IT department may be primarily concerned with policies related to access controls and system administration (this should include e.g. POL-08: Cloud Security, POL-12: Cryptography, POL-14: Data Management, POL-18: Secure development), while the HR department may focus on policies regarding employee onboarding and offboarding (this should include e.g. POL-15: Human Resource Security). Employees should review and understand policies that are directly applicable to their roles and responsibilities.

Sensitive data

Some policies may contain sensitive information or details that are relevant only to specific individuals or groups. In such cases, limiting the review of certain policies to a select group of employees helps maintain confidentiality and ensures that information is only accessible to those who require it. This is particularly important for policies related to data protection, confidential information handling, and privileged access.

Operational efficiency

In large organizations, involving every employee in the review process for every policy could be impractical and time-consuming. It may not be feasible to allocate the resources needed to coordinate widespread reviews for every policy.

๐Ÿ’ก The objective is to strike a balance between ensuring widespread understanding and compliance with policies while optimizing operational efficiency and maintaining confidentiality where necessary.

Related Articles
Security of the Secfix Agent
Introduction to Policies
Adding and Managing Employee Groups
A guide to Risk Management in Secfix
Secfix Agent
Did this answer your question?