How to Build Your WISP – Step 7: Setting an Annual Review Date for Your WISP
A Written Information Security Plan (WISP) isn’t a document you create once and forget. Cyber threats evolve, regulations change, and businesses grow—so your WISP needs to adapt. That’s why setting an annual review date is crucial to ensuring your security program remains effective and compliant.
Why Do Annual Reviews Matter?
Security policies that aren’t regularly reviewed quickly become outdated and ineffective. Conducting an annual review of your WISP helps you:
Ensure compliance with regulations like the FTC Safeguards Rule and Gramm-Leach-Bliley Act (GLBA).
Identify gaps in your security program and address new risks.
Update policies to reflect changes in technology, business operations, and security best practices.
Reinforce security awareness by engaging employees in the review process.
How to Conduct Your WISP Review
A structured WISP review process ensures nothing is overlooked. Follow these steps to keep your security plan up to date:
1. Schedule the Review Date
Set a recurring annual date for reviewing your WISP.
Align the review with other key business activities (e.g., end-of-year planning, compliance audits).
Designate a responsible individual or team to oversee the process.
2. Evaluate Your Policies Against Current Practices
Compare existing policies to actual security practices—are employees following documented procedures?
Identify changes in business operations (e.g., new software, remote work policies, expanded services) that impact security.
Review past incidents to determine if policies need strengthening.
3. Assess Risk Management Efforts
Revisit your risk assessment to check if identified risks have been mitigated.
Identify any new risks introduced since the last review.
Determine if previous risk treatments are still effective or need updates.
4. Update Roles, Responsibilities, and Permissions
Ensure security roles and responsibilities are still assigned to the right individuals.
Verify that user permissions align with current job roles.
Remove access for former employees and third parties who no longer need it.
5. Review Employee Awareness and Training
Assess the effectiveness of security training from the past year.
Identify any gaps in employee understanding of security policies.
Plan for new or updated training initiatives based on emerging threats.
6. Validate Compliance Requirements
Confirm that your WISP aligns with current regulatory requirements.
Document any changes needed to maintain compliance.
If required, submit reports or updates to regulatory bodies.
7. Implement Updates and Communicate Changes
Update the WISP document to reflect policy changes, new risks, and procedural improvements.
Communicate updates to employees and stakeholders.
Ensure new security measures are fully implemented and enforced.
Documenting and Tracking Changes
A well-maintained WISP change log helps track updates over time and ensures accountability. Key documentation should include:
Date of review and list of individuals involved.
Summary of changes made and reasons for updates.
Action items for implementation, including deadlines and responsible parties.
Employee acknowledgment records for policy updates.
Wrapping Up
An annual WISP review is essential for keeping your security program relevant and effective. By committing to a structured review process, businesses can stay ahead of evolving threats, maintain compliance, and foster a strong security culture.
If your business needs help conducting a comprehensive WISP review, Zeus InfoSec can guide you through the process, ensuring your security policies remain up to date and actionable.
In the next post, we’ll cover Training Employees on Security Best Practices—because even the best security policies fail without proper employee awareness and training.
Still not sure where to start?
Check out Protect Your Business with Our Free Cybersecurity Checklist for Small Businesses or Free Cybersecurity Essentials eBook
Until next time…
Stay Safe. Stay Secure. And Remember….
Business is hard enough. Cybersecurity doesn’t have to be!
