Skip to main content

Governance

Governance Policy Development

A structured policy development engagement aligning security expectations with business objectives and recognized frameworks.

Organization
Cybersecurity Internship Portfolio
Duration
4 weeks
Project Type
Governance
ISO 27001NIST CSFCIS Controls

Business Context

Why the work mattered

The organization needed clearer security expectations for employees, managers, and technology stakeholders. The project focused on transforming informal practices into documented governance artifacts that could support consistent decision making and audit readiness.

Objectives

Engagement goals

Define practical security policy requirements.

Align policy language with ISO 27001 and NIST CSF concepts.

Create readable documentation for technical and non-technical teams.

Support future compliance and internal audit activities.

Methodology

Structured process

The methodology explains how the work moved from context gathering to documented recommendations.

  1. Step 1

    Policy Scope

    Clarify the business areas, users, and systems covered by the policy set.

    Reviewed organizational context, common risk scenarios, and policy ownership needs.

  2. Step 2

    Framework Alignment

    Ground policy requirements in recognized security standards.

    Mapped policy sections to ISO 27001 control themes, NIST CSF functions, and CIS Controls.

  3. Step 3

    Drafting

    Produce clear, enforceable security expectations.

    Wrote policy statements, responsibilities, review cycles, and exception handling guidance.

  4. Step 4

    Review

    Improve usability and business fit.

    Checked language for clarity, removed ambiguity, and prepared an implementation summary.

Deliverables

Artifacts produced

Governance

Information Security Policy

Core policy defining roles, acceptable security expectations, and review responsibilities.

Gives teams a consistent reference point for security decisions.

Compliance

Control Mapping Sheet

Mapped policy sections to framework themes and supporting control objectives.

Improves traceability for future audits and compliance reviews.

Skills Demonstrated

Professional competencies

Policy DevelopmentControl MappingTechnical Writing

Outcomes

Project impact

  • Security expectations were translated into clear governance language.
  • Framework alignment improved evidence quality and audit readiness.
  • Documentation became easier for business stakeholders to review.

Lessons Learned

Professional growth

Effective policy writing requires balancing control rigor with operational practicality.
Framework mapping is most useful when it explains business relevance, not just citations.

Related Projects

Continue exploring

Internal Audit

Internal Cybersecurity Audit

An internal assessment that reviewed security controls, documented gaps, and produced a prioritized remediation roadmap.

NIST CSFCIS ControlsISO 27001
Internal AuditGap AnalysisRisk Reporting
View case study

Risk Management

Enterprise Risk Assessment

A risk assessment project documenting assets, threats, likelihood, impact, and treatment options for management review.

CIS RAMNIST CSFISO 27001
Risk AssessmentRisk RegisterBusiness Impact Analysis
View case study

Vendor Risk

Third-Party Risk Assessment

A vendor review workflow covering due diligence, control questions, risk scoring, and onboarding recommendations.

NIST CSFISO 27001CIS Controls
Vendor AssessmentQuestionnaire DesignRisk Scoring
View case study

Discuss GRC opportunities

Contact Osen after reviewing this project or download the resume for a concise overview.