Policies are the layer of your security programme that regulators read first, auditors test first, and incident investigators quote back to you afterwards.
Yet in most organisations they're written once, approved (sometimes), and quietly drift out of date. Here are the main reasons organisations commission an independent assurance review.
When a regulator, auditor, insurer, customer or court asks "how do you manage this risk?", your policies are the answer you point to. If they're inconsistent, unapproved, or contradict current guidance, the rest of your programme inherits the doubt.
The Assurance review is performed on your documents. No workshops to schedule, no systems to touch, no staff time consumed beyond providing the policy set and receiving the findings. This is the best way to get maximum assurance value per hour of your team's time.
It's no longer enough for a policy to exist. DORA specifies what ICT security policies must contain, including the date of formal approval by the management body, review cycles, documented exceptions and consequences of non-compliance. NIS2 and the UK's incoming Cyber Security and Resilience regime raise similar expectations, and the NCSC's CAF asks whether your policies are actually followed, not just written. Most policy suites were written before these expectations existed.
One policy says "must", its sibling says "should". One names the Risk & Compliance Forum, another says "the appropriate governance committee". The scope section promises BYOD controls in section 2.4 — and section 2.4 doesn't define them. These inconsistencies are almost impossible to spot from inside the organisation, and they're exactly what a hostile reader — a regulator, a litigator, an attacker's counsel — will find first. An external expert's suite-level review is the only way to catch them.
Blank "Approved By" fields on policies that are demonstrably in force. Review dates that predate the document itself. Filenames that contradict version numbers. Three different committees approving different policies with no record of which owns what. These are small findings individually. Collectively they say your policy governance isn't operating effectively, which is a management-accountability problem under DORA, NIS2 and SM&CR alike.
Current NCSC guidance advises against enforced password complexity and forced expiry. Yet policies mandating both are still everywhere, adding user burden without security benefit. An assurance review provides an independent, structured check of your password and access policies against the latest guidance. It highlights exactly where your current approach already meets or exceeds today’s standards, so you get clear recognition for good practice, not just a list of gaps.
Any organisation whose security policies carry weight: regulated firms, suppliers to regulated firms, operators of essential services, public-sector bodies working toward CAF profiles, organisations pursuing or holding ISO 27001 certification. It's also important for any business whose customers, insurers or investors ask hard questions about governance.
Sister service for regulated financial firms: If your primary driver is FCA and DORA benchmarking specifically, see our Regulatory Alignment & Policy Review — The same rigour, aimed squarely at the regulated environment.
Companion assessments: Policies describe intent; capability is a different question.
Our Technical Resilience Assessment and Operational Resilience Assessment measure whether the resilience your policies describe actually exists in practice.
Show a regulator, auditor, insurer or major customer an independent, dated, criteria-based assurance review of your policies.
Internal contradictions, governance gaps and stale guidance surfaced by fresh, expert eyes.
The Policy Assurance review runs on documents, not on your people's calendars.
Priority ratings and wording-level remediation turn a review into a work plan.
Strengths credited, so the output builds confidence rather than just cataloguing faults.
Findings already mapped to DORA, NIS2, FCA, CAF outcomes and ISO 27001 clauses, saving your compliance team the translation work.
Modern regulation doesn't just require you to have policies. It specifies what they must contain, who must approve them, how often they must be reviewed, and whether they're actually followed. The review benchmarks your suite against the four frameworks that matter most to UK and EU organisations:
DORA, applicable since 17 January 2025 to financial entities operating in the EU and relevant to UK firms with EU operations, group entities or EU financial-entity customers, is the most prescriptive framework ever written for ICT policy content. Its supporting technical standard on ICT risk management (RTS (EU) 2024/1532) sets explicit requirements for what ICT security policies must include: the date of formal approval by the management body, defined review cycles, recorded exceptions, specified consequences of non-compliance, lists of documentation to be maintained, segregation of duties, and detailed content requirements for identity, access, logging, patching, backup and asset management policies.
Our review checks your documents against these requirements article by article. Every relevant finding cites the specific article, so your DORA evidence pack effectively writes itself. For UK-only firms, we apply DORA as a benchmark baseline: the most demanding common denominator, so a suite that stands up to DORA stands up to almost anything.
The EU's NIS2 Directive requires in-scope essential and important entities to adopt cyber risk-management measures that expressly include policies on risk analysis, information system security, cryptography, access control, supply chain security and more. Management bodies are personally accountable for approving and overseeing them.
In the UK, the Cyber Security and Resilience Bill (introduced to Parliament in November 2025) modernises the NIS Regulations 2018 along similar lines, extends scope to managed service providers, data centres and designated critical suppliers, and places the NCSC's Cyber Assessment Framework on a firmer statutory footing.
If your organisation is in scope of either regime, or supplies to someone who is, your policy suite is the first artefact a regulator will ask for. The review benchmarks it against these expectations before they do.
For FCA-regulated firms, policies are woven through the regulatory fabric: SYSC systems-and-controls requirements, the operational resilience regime (PS21/3 / SYSC 15A and PRA SS1/21) with its living self-assessment, record-keeping rules, SM&CR personal accountability, and — from 18 March 2027 — the new operational incident and third-party reporting regime (PS26/2), which your incident and supplier policies will need to reflect.
Our review flags where each policy supports these expectations, where it silently contradicts them, and where wording that reads as optional ("should") would fail the test of a rule that means "must".
The CAF, now at version 4.0, is the UK's outcomes-based framework for cyber resilience, structured around four objectives, fourteen principles and forty-one contributing outcomes, and increasingly the benchmark UK regulators use across essential services, government (via GovAssure) and, under the incoming Bill, a widening set of sectors.
Policies sit at its heart: Objective A covers governance and risk management (are policies owned, approved and communicated?), and Principle B1 is literally "Service Protection Policies, Processes and Procedures" — asking not whether policies exist, but whether they're proportionate, communicated and demonstrably followed. Our review maps findings to the relevant CAF outcomes and — because the CAF is outcome-based — flags where a policy's wording would make an outcome hard to evidence as "achieved".
ISO/IEC 27001:2022 (clause 5.2 policy requirements and Annex A controls), current NCSC guidance (which the review applies as living guidance, e.g. modern password policy positions on complexity, expiry and passphrases), Cyber Essentials/Cyber Essentials Plus, and UK GDPR/Data Protection Act 2018 where policies touch personal data.
(Note: The review provides independent assurance and regulatory relevance mapping. It is not a legal opinion, a compliance certification or a formal audit; confirming a formal compliance position may require dedicated legal or regulatory advice.)
High/Medium/Low so remediation can be sequenced sensibly.
Findings counts by policy and priority, updating automatically as your team closes items.
Open/WIP/Closed/N/A per finding, yours to own as your remediation record.
A re-review of remediated policies to confirm findings have been addressed and provide evidence of progress for governance, audit and regulatory purposes.
.webp?width=700&height=1050&name=What%20the%20Security%20Policy%20Review%20Looks%20Like%20(1).webp)
It's an independent, line-by-line evaluation of your information security and IT policy suite against defined criteria: recognised good practice (NCSC guidance, ISO/IEC 27001:2022, Cyber Essentials), regulatory frameworks (DORA, NIS2, FCA expectations, the NCSC CAF), and internal consistency across the suite. Every finding is traceable to an exact document location, priority-rated, and paired with practical remediation. Strengths are formally credited alongside gaps.
An audit renders a verdict against a fixed standard; assurance evaluates against criteria to help you improve. The review is collaborative and blame-free: no pass/fail, no grading of individuals, and explicit credit for what's already working. It gives you a defensible, independent evidence base without the adversarial dynamic of an audit.
DORA and its ICT risk-management technical standard (RTS (EU) 2024/1532), NIS2 and the UK's incoming Cyber Security and Resilience regime, FCA expectations (SYSC, PS21/3 / SYSC 15A, record-keeping, SM&CR, and the PS26/2 reporting regime from March 2027), the NCSC Cyber Assessment Framework (CAF), ISO/IEC 27001:2022, current NCSC guidance, Cyber Essentials, and UK GDPR / DPA 2018 where personal data is involved. The benchmark set is tailored at scoping to your sector and obligations.
DORA is the most detailed statement anywhere of what good ICT policy content looks like including approval by the management body, review cycles, exception handling, logging, access and patching specifics. Applying it as a benchmark baseline means a suite that stands up to DORA will stand up to FCA scrutiny, CAF assessment and ISO certification with margin to spare. And if you ever acquire EU exposure, the work is already done.
Every finding carries a locator: the section, paragraph and page it relates to. Where applicable, the specific regulation article or standard clause it's benchmarked against is also provided. You can open your document at the cited location and verify the finding yourself, and your teams can fix it without guessing what we meant.
No, and this matters. Strengths are recorded with the same rigour as gaps and explicitly marked. A review that only lists faults demoralises the team that has to act on it and misrepresents your true position. Crediting strengths produces a fair picture, protects what's working, and gives boards a balanced view.
Almost none. You provide the policy documents; we do the rest. The only time commitments are a short scoping call at the start and a findings walkthrough at the end. There are no workshops, interviews or system access requirements.
A structured findings tracker: one review sheet per policy, each finding with locator, explanation, standard/regulation reference, priority (High/Medium/Low), and practical remediation; a summary dashboard with findings counts by policy and priority; and a client status column (Open/ WIP/Closed/N/A) that is yours to maintain as your permanent remediation record. We walk your team through it so nothing is left ambiguous.
A typical engagement covers five to fifteen documents, commonly passwords, privileged access, malware/anti-virus, asset management, data classification, acceptable use, remote/mobile working and incident-related policies. We agree the set at scoping. Reviewing policies as a suite matters: many of the most valuable findings are cross-policy inconsistencies that single-document reviews cannot catch.
Typical findings include governance gaps (blank approvals, stale review dates, version/filename mismatches, undefined approval authorities), internal contradictions (must vs should, exceptions that undercut prohibitions, cross-references to sections that don't exist), benchmark gaps (missing MFA coverage, undefined patching escalation, absent log-retention and tamper-protection requirements), and drift from current guidance (legacy password complexity and expiry rules). You should also expect genuine strengths to be identified and credited.
Annually as a baseline, most frameworks, including DORA's technical standards and ISO 27001, expect at least annual review, and sooner after material change: reorganisation, new systems, new regulatory obligations (such as the FCA's 2027 reporting regime), or a significant incident. A re-review also evidences closure of previous findings, completing the assurance loop.
They answer different questions. The Security Policy Assurance Review evaluates what your documents say — whether your written control environment is complete, consistent and aligned to frameworks. The Technical and Operational Resilience Assessments measure what your organisation can actually do under disruption. The strongest assurance position combines both: policies that stand up to scrutiny, and evidence that the capability behind them is real. Many clients run the policy review first, remediate, then validate capability with a TRA or ORA.
"In order for BMJ to the right way forward we looked for a VCISO to advise us on the right way to do things and give us expertise. We went to Cyber Management Alliance and it's been about a year now and we ran workshops, looked at our response to incidents, created the incident response plan and we are in a position now where we understand our way forward. Our VCISO keeps us on our toes and overall it's been a very effective way of delivering expertise into the organisation that we wouldn't have normally had."
Aaron Townsend, Service Delivery Manager, British Medical Journal
It starts with a short scoping conversation — we'll agree on the policy set, the benchmark frameworks and the timeline. You send documents; we return evidence.