Does your organisation have up to date well documented ICT security policies?
Does your organisation have up to date well documented procedures for ICT security (like patching, which is the vulnerability exploited in the WannaCry hack)?
Opinion piece published by CSO online concerning updates to documentation.