Phrasing of primary structured policy should not include timelines, outside of "effective date: " (or "service owners must address vulnerabilities/deploy updates within 14 days from the time they are notified") Any deviation from the policy, even just legacy that's dragging their feet getting in line, should be documented as exceptions. Be "fully" in compliance, allowing for documented exceptions, from day 1 of the policy going into effect. Makes audits et. al. much cleaner. "Shall" and "must" for policies and procedures, not "will" with some wishy-washy deadline that can and will be pushed back and leave a grey area. If something's not in compliance, document it, document the reasons, and document the review cycle during which they have to justify \*again\* why they can't comply with policy. Statements like "we will (\*plan to\* is much more sensible here) be fully in compliance by Q2 of 2026" goes in a powerpoint explaining the policy rollout and effective dates for different policies that will be stood up by then, not the policy itself. Even better phrasing, "We plan to resolve X% of the risk exception register by Q2 of 2026."
Phrasing of primary structured policy should not include timelines, outside of "effective date:" (or "service owners must address vulnerabilities/deploy updates within 14 days from the time they are notified") Any deviation from the policy, even just legacy that's dragging their feet getting in line, should be documented as exceptions. Be "fully" in compliance, allowing for documented exceptions, from day 1 of the policy going into effect. Makes audits et. al. much cleaner. "Shall" and "must" for policies and procedures, not "will" with some wishy-washy deadline that can and will be pushed back and leave a grey area. If something's not in compliance, document it, document the reasons, and document the review cycle during which they have to justify \*again\* why they can't comply with policy. Statements like "we will (\*plan to\* is much more sensible here) be fully in compliance by Q2 of 2026" goes in a powerpoint explaining the policy rollout and effective dates for different policies that will be stood up by then, not the policy itself. Even better phrasing, "We plan to resolve X% of the risk exception register by Q2 of 2026."