As a general rule, most regulators like to see documented policies and processes. They prove that you have thought things through — even if not perfectly — and at least attempted to address them.
Clearly, if what you have done is negligent, you are perhaps creating even more of a mess for yourself, and putting together a nice paper trail, but if you are reading this site, and thinking about your own and your firm’s cybersecurity needs, you probably aren’t the highest risk in this regard.
If you can set out what your policy is, who is responsible for it, and document your processes and controls, review them regularly, and keep a note of what you’ve reviewed and when, you’re likely to be heading in the right direction.
If you have staff, there’s likely to be an expectation of training them and keeping them informed of changes, and a record of ongoing training can be useful too.
I also find it useful to record reasons why I have made decisions.
In some cases, the reasoning behind a decision might be obvious. But if you weighed up various factors, and reached a risk-aware conclusion, you might want to set out what you considered and why you came to the conclusion that you did — even if just so that, in future, when you are trying to remember why you did something, or didn’t do something, you can get back to the state of mind you were in when you made the decision.
But documenting things has benefits beyond regulatory compliance.
Writing things down forces you to think things through, and question why you have taken particular decisions.
In some cases, having a handy reference guide as to what you’ve decided to do in a particular situation may be the difference between absolute panic and, well, slight panic, if something does go wrong.
If you’ve documented the procedure for wiping a lost mobile device, for example, you don’t need to remember things in the heat of the moment: you just work through your document.
If you want more than your own documentation, you might consider an accreditation for cybersecurity.