Conducting regular independent reviews will provide the best measure of compliance with IT policies, as this ensures that the policies are implemented and followed consistently and effectively across the organization. Independent reviews can also identify any gaps, weaknesses, or violations in the compliance process, and recommend corrective actions or improvements.Independent reviews can be performed by internal or external auditors, regulators, or consultants, depending on the scope and purpose of the review. Evaluating past policy review reports, performing penetration testing, and testing staff on their complianceresponsibilities are not the best measures of compliance with IT policies, although they may be useful or complementary methods. Evaluating past policy review reports can provide some historical and comparative data, but it may not reflect the current or accurate situation of the compliance status. Performing penetration testing can assess the security and vulnerability of the IT systems and networks, but it does not measure the compliance with all the IT policies, such as those related to governance, operations, or quality. Testing staff on their compliance responsibilities can evaluate the awareness and knowledge of the staff, but it does not measure the actual behaviour or performance of the staff in complying with the IT policies. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk and Control Monitoring and Reporting, page 187.