Documented Information Security Policy

This question asks if you have a formal, written document that defines your company's security rules, standards, and procedures. It's your security constitution - the master document that explains how your company protects data, who's responsible for what, and what everyone must do to maintain security.

A documented security policy is table stakes for enterprise deals - without it, you're immediately disqualified from most RFPs. It provides legal protection by showing you have standards in place, guides employee behavior to prevent breaches, and demonstrates security maturity to customers and investors. Without this policy, you have no defense when things go wrong and no credibility when pursuing serious business opportunities.

Creating a generic policy copied from the internet that doesn't reflect your actual practices is worse than having no policy - auditors will catch the disconnect. Another mistake is writing a policy but never training employees on it or enforcing it, making it worthless for both security and compliance.