A good rule of thumb is this: Information security policy documents should be updated at least once a year, or whenever a major change occurs in the business that would impact the risk of the organization. Examples of these changes could be a merger, a new product or line of business, a major downsizing or starting business in another country. Whatever time period and criteria you define, the frequency of these updates should be documented in the written information security plan that is approved by management.