Policy Writing .. As easy as it sounds!

This series of posts explains an effective policy writing process. It will take a reader through some of the steps involved in policy writing.

Policies as cornerstones

A policy reflects the organisation’s strategy for carrying out its functions. As an example, a Finance policy lays down the ground rules for effective adminstration of its finances that satisfies HMRC. Similarly, an Information Security policy should reflect the organisation’s objectives for security. This policy should satisfy its stakeholders that the data and information it holds is subject to the necessary controls. It also sets the framework for the management strategy for securing information.

Are we in agreement?

In order for any policy to work well, it must be agreed on by the executive management. With proper management support, the policy provides authority for executing the rest of the program, in this case the Information Security Program. It is important to understand the management thinking when defining a policy for the organisation. Besides, management support, the policy writer (security professional) should get the views of key stakeholders in the organisation. It is also important to understand the culture and the ethic of the organisation when defining a policy.

Positive Statement

Post the interviewing process, the policy writer must capture the essence of the discussions in a postive statement. This statement will illustrate how the organisation would like its information protected. The statement should be a faithful representation of views; that is, without overstatement, change of meaning or adding to the content.

Next steps

In the next blog we will look at molding management’s perspective on the subject and emerging with a strategy. Till then..