5 Tips on Writing Security Policies

Even pure technologists have to write security policies in an enterprise environment. As a subject matter on something, technology experts might be asked to contribute to the Software Development or the Internet Acceptable Use policies.

However this leads to policies that nobody reads. Copy-and-paste texts, dry language and 60-page long documents. Rings a bell, anyone?

In the following post I reveal a few tricks up my sleeves for writing simple, crystal-clear and straightforward security policies.

Write Clearly in Plain English

Your audience might have a diverse cultural or educational background. They might speak English as a second language. Some of them may even use Google Translate to read them.

  • Know your audience
  • Construct simple and compact sentences
  • Avoid being too formal
  • Keep jargon, legal lingo and slang to a minimum
  • Abbreviations should refer to the original word or phrase (in a footnote or Terms of Glossary)
  • Get to the point and do not over-explain anything

Keep Policies Simple Stupid

  • Do not regulate two different areas in a single policy (e.g. Information Classification Policy combined with Media Disposal Policy)
  • Do not regulate areas outside of your boundaries (e.g. to prevent business fraud)
  • Be visual (e.g. use RACI charts for defining roles and responsibilities)
  • Structure the text with paragraphs
  • Paragraphs should have relevant titles
  • Be consistent (e.g. do not randomly refer to employees as users, employees and workers, just pick one)

Tailor To Your Organisation

Remember, Policies are meant to support the business activities that makes the shareholders happy.

  • Originate policies from the Security and/or Business Strategy
  • Never use policy templates, they regulate a different business environment from yours
  • Write the policies that your organisation actually needs (for instance do not publish a Cloud Policy if you only have datacenters)
  • If you end up with more than 12 policies, your policy structure is wrong

Policy Pyramid


Avoid Like the Plague

  • Technology should be regulated in standards, procedures and guidelines
  • Broken cross-references to policies and other documents
  • 3 page long cover pages
  • Documents longer than 8-10 pages
  • Comic Sans MS

Put the Sexy Back into Security

  • Choose a policy framework (ISO 27002, COBIT) or brew your own
  • Dump the boring Word format for storing policies as Wiki pages (e.g. Confluence)
  • Keep previous releases of the policy available
  • Do version tracking. Textual changes between policy releases should be apparent.
  • Finally make those policies accessible! Instead of http://a03srv21.prod.intranet.com/pages/TripeReceipes/SecurityPolicies.aspx?iamanidiot=yes register a custom domain such as https://security.intranet.com/ and store everything there

Further Reading

Photo courtesy of Erik Charlton and Jeff Dahl


Gabor Szathmari is a cybersecurity expert and digital privacy enthusiast. In his professional life, Gabor helps businesses, including many small and mid-size legal practices, with their cybersecurity challenges at Iron Bastion.