How to Write an Information Security Policy

Often, a security industry standards document is used as the baseline framework. For example, the Security Forum's Standard of Good Practice (), the International Standards Organization's, Security Management series (27001, 27002, 27005, ), and the Information Systems Audit and Control Association's Control Objectives for Information Technology (CoBIT, ). This is a reasonable approach, as it helps to ensure that the policy will be accepted as adequate not only by company management, but also by external auditors and others who may have a stake in the organization's Information Security Program.

So they must be combined with management input to produce the policy outline. Moreover, it is not reasonable to expect the management of an organization to change the way the organization is managed in order to comply with a standards document. Rather, the information security professional may learn about good security management practices from these documents, and see if it is possible to incorporate them into the current structure of the target organization.

It is important that security policy always reflect actual practice. Otherwise, the moment the policy is published, the organization is not compliant. It is better to keep policy as a very small set of mandates to which everyone agrees and can comply than to have a very far-reaching policy that few in the organization observe. The Information Security Program can then function to enforce policy compliance while the controversial issues are simultaneously addressed.

Another reason that it is better to keep policy as a very small set of mandates to which everyone agrees is that, where people are aware that there are no exceptions to policy, they will generally be more willing to assist in getting it right up front to ensure that they will be able to comply going forward. Once a phrase such as "exceptions to this policy may be made by contacting the executive in charge of...." slips into the policy itself or the program in which it is used, the document becomes completely meaningless. It no longer represents management commitment to an Information Security Program, but instead communicates suspicion that the policy will not be workable. A security professional should consider that if such language were to make its way into a Human Resources or Accounting policy, people could thus be excused from sexual harassment or expense report fraud. A security professional should strive to ensure that information security policy is observed at the same level as other policies enforced within the organization. Policy language should be crafted in such a way that guarantees complete consensus among executive management.