NEWSLETTER
April 16, 2026
In most organisations, IT policies, processes, and procedures underpin secure and efficient operations. Employees are routinely asked to read, acknowledge, and “accept” these documents - often through a simple checkbox or annual compliance exercise. But there is a critical gap in this approach; acceptance does not equal understanding.
Checking or testing comprehension is one of the most overlooked elements of policy management, yet it is critical to ensure that policies are not only read, but applied in practice.
The assumption that staff understand what they have read is risky. Policies are often written by technical specialists in formal language, covering complex subjects such as data handling, access controls, and incident reporting. Even well-intentioned employees may misinterpret requirements or fail to recognise how policies apply to their day-to-day roles. Without validating comprehension, organisations are effectively relying on guesswork.
This gap becomes particularly problematic when policies underpin critical controls. For example, an employee may acknowledge an acceptable use policy but still reuse passwords, mishandle sensitive data, or fail to report suspicious activity - simply because they did not fully understand the expectations. In these cases, the policy exists on paper, but not in practice.
From a risk perspective, this creates a false sense of security. There is often an assumption at the leadership level that compliance requirements have been met because policies have been distributed and accepted. However, without evidence of understanding, there is no assurance that team members are behaving as intended. This increases the potential for a security incident, operational errors, and even regulatory breaches.
Testing comprehension helps bridge the gap between reading a policy and understanding it . A simple measure such as a short quiz can significantly improve both understanding and retention of policy detail. This approach encourages employees to actively engage with the material, rather than passively acknowledging it. More importantly, the results and feedback can provide organisations with measurable insight into whether key concepts have been understood.
Effective comprehension testing highlights areas where policies may need improvement. If large numbers of team members struggle with specific questions or concepts, it may indicate that the policy is unclear, overly complex, or not relevant to their roles. Testing can therefore be invaluable for refining policies and making them more practical and accessible.
Comprehension testing is often overlooked due to perceived time constraints or administrative effort. Organisations may view policy acceptance as a “tick-box” activity — something that needs to be completed for compliance purposes rather than as an opportunity to strengthen capability. This short-term thinking can lead to long-term risk.
Over time, testing reinforces a culture of accountability and awareness, where employees are not just informed, but equipped to translate knowledge into a correct action. Ultimately, policies are only effective if they influence behaviour. Simply asking team members to read and accept them is not enough. The risk being that people unknowingly act contrary to policy while simultaneously believing they are acting in compliance.
Policy Management as a Service (PMaaS) allows an organisation to test each team members comprehension of policy content using the PMaaS Quiz option.
Some of the key features of this option include -
Contact us today to find out how you can embed policy understanding across your organisation.
PROTOCOL POLICY SYSTEMS
Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233