References 257 here, so it is recommended that you read that publication in its entirety and think about how you might implement a similar process for your organization. SUMMARY Writing and distributing security policies and standards are just the beginning. You also need to evaluate the organization's compliance to those standards. Unlike an audit, this is meant to be an internal assessment of where the gaps are and which ones present a large enough risk to require some sort of mitigation. This is an on-going process that will start with a small focus, but it needs to con- tinue to regularly assess new standards as they are published and account for any changes in the risk landscape. If you focus on the highest risk areas and structure your questionnaires as clearly as possible, you will encounter less resistance from the business. Ultimately, this process should be seen as a proactive exercise to stay ahead of emerging threats and potential incidents, and of course, the auditors. To do this, you will want to promote a culture of self-identification and self- discovery of risks. Along with the Security Risk Review process comes the latest