It does seem strange though…..The task is to publish procedures for the description, but it has to be done every 10 x days.
I would have though once published, then at least annually would be ok…
Appreciate your feedback.
The Information Security Policy requires in section 3.3 (Secure engineering principles) that responsible person issues “procedures for secure information system engineering, both for the development of new systems and for the maintenance of the existing systems, as well as set the minimum security standards which must be complied with.” Please note that the mentioned procedures are not included in the policy but need to be developed because of it.
Considering that, the recurrent task refers to the publication of these required procedures, i.e., you only can set this task as completed when all needed procedures are published. This task is not related to the publication of the Information Security Policy itself.
Consider this example: when developing this policy, you identify you have a financial system, a production monitoring system, and a mobile app, all developed with different technologies. When the Information Security Policy is implemented, this recurrent task will remember you every 10 days after Information Security Policy implementation date that you need to publish these needed procedures.
Once these related procedures and standards are published you can mark this task as completed, and the review cycle of these documents will be performed as defined in the document control procedure (e.g., at least annually).