A policy is a foundational aspect to the development of a strong information security program. When developing a policy, you should ensure that you follow a few key principles:

• Receive board-level / CEO approval and support:
  • Without CEO or board-level backing, a security program is doomed to fail
• You should only create a policy that you intend to follow:
  • This means do not create a policy for the sake of the documentation. A policy that sits on the shelf and is never used does not help anyone.
  • Policies that you don't follow will be used by an auditor to show that you are deficient:
    • If you have policies follow them.

• Ensure your policies are implementable:
  • There are many ways that a security standard can be met, and your policies should reflect the way that your organization wants to implement a standard
  • Do not describe four points in a policy if you intend to only implement two of them if those two provide adequate risk mitigation
• A policy needs to take into account the organization's appetite for accepting risk:
  • Consider the value of the information that your organization owns.
  • Consider what would happen to the organization if you lost control over the confidentiality, integrity, and/or availability of the information:
    • Are you trying to safeguard trade secrets or sensitive proprietary information (confidentiality)?
    • Does information need to be accurate at all times (integrity)?
    • Could the organization effectively operate without its information (availability)?
  • Answers to questions like these, combined with an understanding of you organizations risk appetite, will inform your policy development.