The hidden costs of developing, delivering and maintaining IT Policies

Steve Macmillan

IT Policies play a key role in building and developing cyber resilience. In trying to address IT policy requirements using in house resources, many organisations find the exercise to be laborious and costly to deliver, and a struggle to complete the exercise.

Once policies have been approved and are in circulation, they need to be kept up to date and maintained by their respective “owners”. The frequency of policy maintenance will vary but it’s typically driven by changes in business requirements, best practice guidance or legislation. There is often a delay in making change effective as systems to notify, alert or remind the respective “owners” that a policy needs reviewing or editing as a result of those changes may not exist.

How much does it cost to develop, deliver and maintain IT policies? 

Download our IT Policies Calculation Tool:


What are some of the factors that make policy work costly and laborious?

Writing structured easy to read draft policies requires practice and experience.

Managing various policy stakeholders so that they provide quality input.

Subject matter knowledge and the cross referencing of standards documentation is required to ensure that policies are aligned with best practice guidance, which takes time.

Often multiple reviews are required by peers and the stakeholders to finalise policy edits before producing a final draft.

Once in place getting policies reviewed on a regular basis and accepted throughout the organisation requires ongoing management, particularly if there is no workflow solution in place.

Read the Buckinghamshire Council story here:

Financial considerations aside

Organisations that engage Protocol Policy Systems for assistance typically have developed a clear business case to implement a cost-effective solution that addresses the factors above. Aside from the financial consideration they highlight a range of other key drivers for making changes to how they develop, deliver and manage their IT policies, examples being -

  • Demonstrating good governance. Endorse the commitment of the Board, CEO and senior management in protecting valuable information assets
  • Enabling the organisation to meet their legislative requirements – operating to required minimum standards such as PCI-DSS, ISO27001/2, Cyber Essentials and other directives
  • To protect the assets of the business – such as infrastructure, corporate information, corporate data and the users of systems
  • To provide the IT security framework for an organisation – building a Security Maturity Model for continued risk management and security improvement
  • Building institutional knowledge will reduce a reliance on an any particular individual keeping and conveying that policy knowledge
  • Providing a uniform level of control and consistent guidelines for management – which helps support disciplinary procedures in cases of intentional misuse of system and breaches
  • Communicating one message to all staff about IT security and their responsibilities

Contact us to request a review of your current IT Policies by one of our consultants. 


Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233