policy SOC report

Building Effective Security Policies: FOMO vs. Build-as-you-Go

Ever gone to check the company policy for something and found yourself lost and hopeless in a thousand page policy jungle?

We have too, and there’s a better way.

But it may involve overcoming your fear; specifically, your Fear of Missing Out (FOMO)

Understanding the Methodologies

In a world of excessive jargon, we like to dumb things down to plain language. When thinking about implementing policies, there are basically two methodologies.

FOMO Policies aim to cover every compliance need comprehensively. They are often a combination of different frameworks and templates.


    • FOMO policies allow you to set it and forget it – if a legal or compliance need comes up 3 years down the line, odds are that it’s in your policy!


    • This strategy leads to policies becoming overly burdensome, and difficult to find what you need.
    • Because there is so much irrelevant content included, policies began to mean nothing at your company and lose all their power.

Build-As-You-Go Policies craft policies incrementally, starting with the core elements of what you need, and adding on as updates are needed.


    • The policies are set up to be clear and easy to find what you need
    • They can enforce changes that leadership actually cares about


    • You might need to update them frequently as compliance needs arise.

Build-As-You-Go Policy-making allows policies to do what they were meant to do – be drivers of process and culture, not static descriptors of someone else’s requirements.

So now that you’ve decided on a methodology, let’s look at best practices as you’re implemented that we’ve picked up from reviewing hundreds of our clients policies.

Best Practices for Building Effective Policies

  1. Define Culture and Process: Rather than creating policies for the sake of compliance, sit down with leadership to define desired outcomes in core areas. Policies should drive culture and process, not merely exist as passive documents.
  2. Assign Ownership: Each policy should have a designated owner responsible for its implementation and regular updates. Establish a clear update cadence to ensure policies remain relevant and effective. Involve upper leadership, as if the top bosses don’t care, why should the rest of the crew?
  3. Communication is Key: Make policies easily accessible to employees and communicate updates or new policies effectively. Ensure consistency with training content to reinforce policy adherence.
  4. Utilize Templates Purposefully: Templates SHOULD provide a structural starting point and content ideas for policy development. They SHOULD NOT serve as the main document requiring only a cursory review. Instead, use templates as a guide to double-check the quality of policy content.
  5. Document and Review: Maintain a table documenting the creation, review, and next review dates for each policy. This helps ensure accountability and keeps policies up-to-date with evolving requirements.

By following these best practices and adopting a Build-As-You-Go approach, organizations can develop security policies that not only meet compliance requirements but also drive positive cultural change. Remember, the goal is not just to have policies but to create a secure and compliant organizational environment that fosters trust and integrity.

Looking for additional resources to kickstart your policy development process? Check out ISACA’s Policy Template Library Toolkit for some customizable free policy templates! These templates can serve as valuable starting points for crafting your organization’s security and governance policies.

Looking for an auditor who can help guide you through the SOC 2 process? –  Contact Render

Share this post


Keep reading...

What is a SOC 2 Gap Assessment?

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.

Let's Work Together