How to Create Effective Policies

How to leverage information security policies into leveling up your security program.
People often regard information security policy as a “check-the-box” compliance initiative. Many organizations will copy a policy template, make small revisions applicable to their context, and then forget about it.
But, an information security policy that directs the organization is as crucial to a security program as firewall rules or IP whitelists. Information security policies fulfill criteria from many major security frameworks. For example:
ISO 27001 A.5.1.1: A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties
SOC 2 CC2.2 (COSO Principle 14): The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Considering this, it’s important to understand the entire lifecycle of a policy as opposed to seeing it as a document in a vacuum. A policy follows this basic lifecycle:


The need to develop a policy often arises from a compliance initiative such as SOC 2 or ISO 27001. In other cases, companies draft policies as a response to the results of a risk assessment.
Key stakeholders should conduct this stage of the policy lifecycle. They should have a knowledge of the system/process the policy addresses and information security.
Templates found online or provided by security firms are great places to start. But you must always ensure that the policy fits the needs of your organization.
The policy exists to dictate organizational behavior around a specific system or process. So, the policy must contain what your employees must do and why they must do it.

Approval and Distribution

An information security policy is not valid in an organization unless it has management signs and approves it. Separation of duties should be maintained in this step of the policy lifecycle.
The policy author and policy approver should not be the same person.
Before a policy can take effect, employees must first receive copies. Employees should receive copies during on-boarding and annually thereafter.
Employees must also receive updates to policies. Apart from physical copies, digital copies can be emailed or stored in a policy management system.


Employees must acknowledge a policy for it to be enforceable.
Distribution alone is not enough to confirm that employees have received and agreed to the policy. Employees must confirm using either a physical or digital signature that they have received and acknowledged the policy.
Many times, when a person “has read and understood the terms and conditions”, they have neither read nor understood the terms and conditions. They hope that the terms and conditions won’t be relevant to their lives.
The same is true for a policy. Thus, it’s a good idea to include a summary and quiz questions to confirm understanding of a policy.


Paying lip-service to information security does little more than clutter your shared drive with unused policies and fulfill part of a compliance requirement.
For a policy to accomplish its goal, it must be enforced. Like all cultural aspects of an organization, this starts at the top.
It is up to management and the employees with security responsibilities to set the tone of the organization and champion best practices.
After this has happened, the individual(s) responsible for the policy must develop ways to ensure compliance. For example, if the policy includes a “clean desk” statement directing all employees to store confidential documents inside of a locked drawer and to lock their workstations at the end of the day, management may log any instances of noncompliance.
Finally, when exceptions are found, employees must be reminded that security is the responsibility of everyone at the organization. This coaching is not a reprimand, but an attempt to improve both the employee and the organization.


The last step in the policy lifecycle is for responsible parties to monitor acceptance and adherence. They must also modify the policy as necessary.
Management should review all policies at least annually to account for changes in personnel, responsibilities, technology, or processes. If employees resist an area of the policy, the first response should not be to force them to obey it. Instead, management should re-evaluate and see if that policy fits the needs of the organization.
Employees tend to grumble while security practitioners tread the delicate line between security and usability. But at the end of the day, the responsibility of security experts is to create a low-risk environment where employees can be successful.
Policies play a major role in establishing a baseline for your organization’s information security program. With an understanding of the policy lifecycle, you can leverage policies to gain insight into your organization’s security posture and strengthen security at every level.
Questions about policies or compliance and where to start? Contact us here! We’d love to chat with you and see how risk3sixty can meet your organization’s needs.

Share to


Share to

Like our content? Subscribe and stay informed.