The role of policy is to codify guiding principles, shape and require behavior, provide guidance to those who are tasked with making present and future decisions, and serve as an implementation roadmap. An information security policy (ISP) is a directive that:
- Defines how the organization is going to protect its information assets and information systems;
- Ensures compliance with legal and regulatory requirements; and
- Maintains an environment that supports the guiding principles of the organization.
After you’ve learned the seven characteristics of a successful ISP, it’s time to make them a reality in a written document that pertains specifically to your organization. Writing policy documents can be challenging. After all, they are complex documents that must be written to withstand legal and regulatory scrutiny while at the same time be easily read and understood by the reader. The starting point for choosing a format is identifying the policy audience. Of course, a policy can also be intended for an organization-wide audience.
Policies may be intended for a particular group of employees based on job function or role, such as a policy defining the responsibility of the Information Security Officer. The policy, or portions of it, can sometimes apply to people outside of the company, such as business partners, service providers, or contractors.
Formatting Your ISP
Once you’ve identified the audience, it’s time to organize and outline the document. It’s important to decide how many sections and subsections you will require before you begin writing. There are three general formatting options to decide between for when you begin organizing your document.
- Singular Policy – A policy that’s specific to the role and responsibility of the Information Security Officer, for example. This format can be applied to any role within the organization.
- Consolidated Policy Section – Addresses the role and responsibilities of everyone who governs the organization including the Board of Directors, executive management, Chief Risk Officer, Information Security Officer, Compliance Officer, legal counsel, auditor, IT Director, and users.
- Select a Standard Framework – It is highly recommended to select one of the many standard information / cybersecurity frameworks as the basis used to organize the policy document. Using a standard framework ensures you place your organization into a common language used nationally or internationally for organizing an ISP. Examples include the ISO 27002 Code of Practice for Information Security Management, or the national Institute of Standards in Technology (NIST) Cybersecurity Framework (NIST CSF). The other significant benefit of basing your ISP on a standard framework, is that the policy sections are well-defined, with guidance to help you select the right set of policies for your organization.
There are advantages and disadvantages with each of these formats. The advantage to singular policies is that each policy document can be short, clean and crisp, and targeted to its intended audience. The disadvantage is the need to manage multiple policy documents and the chance that they will become fragmented and lose consistency. The advantage to a consolidated policy is that it presents a composite management statement in a simple voice. The disadvantage is the potential size of the document and the reader challenge of locating applicable sections.
Involve Key Personnel
Policies are not often thought of as beneficial. There are several reasons for this common perspective. Perhaps the most significant of these is that policies are most often written in a “glass tower”, then distributed to the audience to adhere to without any input or agency. In order to create the most realistic and practically relevant document(s), it is important to invite representatives from departments who play key roles in your organization’s operations. When those who understand what is possible are involved in crafting requirements, the result will be a document(s) that the audience will identify with and be far more able and willing to comply with.
Writing Style and Technique
Once you’ve determined the objectives, format, and components that will make up your document, it’s time to start writing. The style of the document is critical. The first impression of any document is based on style and organization. If the reader is immediately intimidated, the contents become irrelevant. Keep in mind that the role of policy is to guide behavior. That can only happen if the roadmap is clear and easy to use. How the document flows and the words you use will make all the difference as to how the policy is followed. Know your intended reader and write in a way that is understandable. Use terminology that is relevant. Most importantly, keep it simple and use plain language.
The term “plain language” means using the simplest, most straightforward way to express an idea. By the time you are done writing your ISP, it should be easy to read, understand, and use, thanks to the use of plain language. According to the Plain Language Action and Information Network (PLAIN), there are ten guidelines to writing with plain language that are pertinent to policy writing.
- Write for your audience. Use language your audience knows and is familiar with.
- Write short sentences. Express only one idea in each sentence.
- Limit a paragraph to one subject. Aim for no more than seven lines.
- Be concise and leave out unnecessary words.
- Don’t use jargon or technical terms when everyday words have the same meaning.
- Use active voice. A sentence written in the active voice shows the subject acting in standard English sentence order: subject-verb-object. Active voice makes it clear who is supposed to do what and eliminates ambiguity about responsibilities.
- Use “must” not “shall” to indicate requirements. The word “must” is the clearest way to convey to your audience that they have to do something.
- Use words and terms consistently throughout your documents. If you use the term “senior citizens” to refer to a group, continue to use this term throughout your document.
- Omit redundant pairs or modifiers. For example, instead of “cease and desist,” use either “cease” or “desist.”
- Avoid double negatives and exceptions to exceptions. Many ordinary words have a negative meaning, such as unless, fail to, except, unlawful (“un”-words), disallowed (“dis”-words), terminate, etc. Watch out for them when they appear after “not.” Find a positive word to express your meaning.
Writing an ISP documents is a multistep process. First, define the audience for which the document is intended. Then, choose the format and structure. Once those steps are completed, you can begin writing. Be sure to use plain language and have a strong introduction and headings for each section.
Download our Sample Information Security Program Template to get started! Happy writing.
Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene, founder of Sage Data Security, now part of Tyler Technologies, Inc. as Tyler Cybersecurity.