How to write an information security policy, plus templates

Why companies need security policies

IT policies and procedures complement each other. Policies highlight areas within security that need assistance, while procedures explain how to address those security areas.

Discrepancies and weaknesses in policies are often brought up during audits, so it's best to prepare in advance. Users often have safety concerns about their data and systems, so it's advisable to disseminate security policies to employees and clients to alleviate their concerns.

How to prepare a security policy

Follow these steps when preparing an information security policy:

• Identify the business purpose for having a specific type of IT security policy.
• Research how security is currently managed by the organization. Examine security performance reports, incident reports and other documents.
• Identify relevant cybersecurity standards, regulations and frameworks to develop the policy.
• Examine existing security policies to identify policy structures and formats. Adapt them if needed for new policies.
• Establish a project plan to develop and approve the policy.
• Create an internal team to develop the policy.
• Consider engaging an experienced third party to provide assistance.
• Schedule management briefings during the writing cycle to ensure relevant issues are addressed.
• Ask internal departments to review the policy, in particular legal and HR.
• Ask the risk management team to review the policy. Distribute the draft for final review before submitting it to management.
• Secure management approval and disseminate the policy to employees.
• Develop and deliver employee trainings to explain the new policy.
• Establish a review and change process for the policy using change management procedures; this should be part of a continuous improvement activity.
• Schedule and prepare for annual audits of the policy.

Components of a security policy

Policies for information security and related issues don't need to be complicated; a few paragraphs are sufficient to describe relevant security goals and activities. Include more detail as needed.

Use the following outline to start the drafting process:

• Introduction. States the fundamental reasons for having a security policy.
• Purpose and scope. Provides details on the security policy's purpose and scope, which can include data, systems, facilities and personnel.
• Statement of policy. States the security policy in clear terms. Include specifics for accessing systems and data, password management, data privacy, access authentication, incident response, physical security, network security, remote access security, patch management, use of security tools, impact of AI, employee training and awareness, and continuous improvement.
• Statement of compliance. Specifies security laws, regulations, standards and other guidance with which the policy aims to comply.
• Policy leadership. States who is responsible for approving and implementing the policy, as well as levying penalties for noncompliance.
• Roles and responsibilities. Details the roles and responsibilities of personnel, e.g., IT staff and data owners, who deal with security daily.
• Verification of policy compliance. States what is needed, such as monitoring, audits and assessments, exercises and penetration tests, to verify security activities are in compliance with policies.
• Penalties for noncompliance. Specifies penalties for noncompliance, such as a verbal reprimand and a note in the noncompliant employee's personnel file for internal incidents, and fines and/or legal action for external activities.
• Appendices. Includes additional reference information, such as lists of contacts, other relevant security policies, service-level agreements and details on specific security policy statements.

Additional best practices when preparing a security policy include the following:

• The policy should be developed by a team that can address operational, legal, competitive and other issues associated with information security.
• Get input from internal departments on their specific security requirements.
• Discuss the policy with HR to ensure uniform compliance by employees.
• Ensure senior management supports the policy.
• Specify who can access IT resources and access criteria, such as role-based access and privileged access.
• Include security requirements for physical devices, such as laptops and firewalls.
• Specify hardware and software security requirements, including patching and other updates.
• Identify the frequency of change to security controls.
• Identify how to train employees on the policy.
• Regularly test, review and update the policy to ensure relevance to the organization, compliance with regulatory mandates and continuous improvement.
• Periodically audit the policy to ensure security controls are followed and are appropriate for the organization.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.