Created by the Security Executive Council
A strong policy can make a significant impact on security’s ability to set, communicate, and enforce requirements for managing risk. The following template, based on research by the Security Executive Council, can help guide you as you write your next one.
Of course, no one policy can be universally applied across all types and sizes of organization. Like so many other building blocks of business and governance, policies must be developed with an eye toward the unique culture, structure, and needs of each organization. So, in providing this template, we intend to offer a starting point, not a fill-in-the-blank.
- Make clear who owns the policy. Which business units and which individuals are responsible for development, implementation, review and monitoring?
- Make sure all stakeholders are involved in development prior to drafting. Do not develop policy in a silo; invite voices from all impacted business units through the C- suite.
- Make sure you’re differentiating between policy and procedure. The policy is the “what” – a broad set of mandates with wide application—and the procedures (which may or may not accompany the policy) are the “how”—specific instructions for meeting the broader mandates.
- Develop a plan to effectively communicate the new policy as it takes effect, and ensure that communication is accompanied by appropriate training.
- Include a schedule for review of the policy.
- Plan how you will measure the policy outcomes through monitoring and enforcement.
Purpose / Statement of Intent
A clear statement of the rationale for the policy and what it intends to achieve. Be concise – a few sentences at most.
If the policy has a long list of subsections or mandates, it may be useful to include this section up front. Shorter or less complex policies may not require an executive summary.
Background / Overview
Where appropriate, a brief explanation of the context that makes the policy necessary. This may include references to regulation or current events, or a description of how the policy supports the corporate mission or vision.
Scope / Application
TTo whom does this policy apply? Does it cover all employees at all locations, or does it apply only in certain geographies, business units, or at certain reporting levels? Be specific.
The details of the policy, broken into bulleted or numbered mandates. Categorize into subtopics where necessary.
- EMPLOYEES SHOULD
- EMPLOYEES SHOULD NOT
- THE ORGANIZATION DOES
- THE ORGANIZATION DOES NOT
Keep the language and the mandates broad and widely applicable. Remember that this is the policy (the what), not the procedures for implementing it (the how).
How and by whom is compliance monitored? Are any entities in the organization exempt from complying? What are the consequences of noncompliance?
Responsibilities / Getting Help
Who is the owner of this policy? What individual or business unit is responsible for reviewing the policy and monitoring compliance? To whom, specifically, should questions and concerns be addressed? Some policies include this statement under Overview or Compliance rather than in its own section, but it is a critical statement to include in some form.
If appropriate, use this space to link to relevant internal or external documents – standards and regulations, procedures for the implementation of this policy, other related corporate policies, etc.
Definitions and Terms
To Be Reviewed On: