The policies you create as a result of undertaking ISO 27001  should be drawn together and periodically subjected to a policy review. Typically this can be at a review meeting where more than a rubber stamp should be applied. It is the opportunity to consider the effectiveness of the policies you decide upon and consideration for improvements and upgrades should take place. Consider how the business is changing and how this needs to be protected, whether its a change in the IS environment, a change of facilities, changes in personnel or skills, and equally consider any change you may wish to apply to the way you handle risk assessments. If changes are made, these need to be clear and communicated to those affected and included again as part of an internal audit to ensure they are effective.

If you consider your policy review to be effective, keep a record and move on, there is no need to waste time on it if there is no need. This typically would be reviewed semi-annually or annually.