"Which standard (NIST, ISO, COBIT, etc.) was used to develop security policies?"
Answer examples and tips for RFPs

Last updated by Brecht Carnewal Brecht Carnewal on 2023-07-30


The question asks about the standard that was used to develop security policies. This is an important question as it provides insight into the framework followed by the company or organization in establishing its security policies. Understanding the standard used can help assess the comprehensiveness and effectiveness of these policies. Two related questions that can provide further context are:

  1. What are the security policies and procedures implemented by the company?
  2. How often are the security policies reviewed and updated to align with industry standards?

Why is this asked?

This question is asked to understand the level of rigor and compliance followed in developing security policies. By knowing which standard was used, the person asking the question is able to assess the company's commitment to cybersecurity and determine if it aligns with industry best practices. It helps in evaluating the company's security posture, risk management approach, and its ability to protect sensitive information.

Key information to include in your Answer

  1. Name of the standard: Clearly mention the name of the standard used to develop security policies. Examples of commonly adopted standards include NIST (National Institute of Standards and Technology), ISO (International Organization for Standardization), COBIT (Control Objectives for Information and Related Technology), HIPAA (Health Insurance Portability and Accountability Act), etc.

  2. Reasons for choosing the standard: Explain why the company or organization selected this particular standard. Highlight any specific requirements or areas of focus addressed by the chosen standard that align with the company's needs and industry requirements.

  3. Framework and guidelines: Describe the framework and guidelines provided by the selected standard. Explain how the company applied these guidelines to develop its security policies. Provide details about the key security areas covered by the standard, such as access control, risk assessment, incident response, and data protection.

  4. Certifications or compliance audits: If applicable, mention any certifications or compliance audits conducted to ensure that the security policies align with the chosen standard. For example, if ISO 27001 is used, talk about the certification process and its significance in demonstrating the effectiveness of the security policies.

  5. Documentation and documentation management: Emphasize the importance of documenting security policies and procedures in accordance with the chosen standard. Mention any specific tools or software used for documentation management, such as Confluence, SharePoint, or Jira.

  6. Policy review and update frequency: Explain how often the security policies are reviewed and updated to align with the changing threat landscape and evolving industry standards. Highlight the company's commitment to continuous improvement and its proactive approach to keeping security policies up to date.


Example 1:

At [Company Name], we have developed our security policies in accordance with the NIST framework. As an industry-leading standard, NIST provides comprehensive guidelines for information security management. By following the NIST framework, we ensure that our security policies address all critical areas, including risk assessment, access control, incident response, and data protection. Our policies are regularly reviewed and updated to align with NIST's latest recommendations. Additionally, we conduct annual compliance audits to ensure that our security policies comply with the NIST standards.

Example 2:

We chose to develop our security policies based on the ISO (International Organization for Standardization) standards. ISO 27001, in particular, provides a systematic approach to managing sensitive company information and ensuring its confidentiality, integrity, and availability. By adhering to ISO 27001 guidelines, our security policies cover areas such as asset management, information classification, control of communication, and incident management. We document our security policies using Confluence, a popular documentation management tool, which allows us to maintain a centralized and easily accessible repository of our policies.

Example 3:

COBIT (Control Objectives for Information and Related Technology) is the standard we adopted to develop our security policies. COBIT is a comprehensive framework that focuses on governance and control objectives related to information technology. By following COBIT guidelines, our security policies encompass aspects such as risk management, incident handling, and resource management. We ensure that our policies align with COBIT's principles by conducting regular reviews and updates. Additionally, we use Jira, a project management tool, to track and manage the implementation of our security policies and monitor compliance.

Start automating RFP answers today.

We're confident you'll love our platform and the value it provides.
Register your account today and see for yourself.

Free to try without credit card!

Start 7-Day Free Trial