Policy & Procedure
What does your cyber security policy say? Does your policy support the regulations? Do your processes and procedures support your policy?
Cyber security policies specify what you should and should not do. Those policies must be well written and support your regulatory obligations. Your procedures must also be well written and specific, with more detail in support of your policies. It sounds simple, but considerable work is required to pull all the pieces together.