Develop and Deploy Security Policies

Build the foundation of your information security posture with a fit-for-purpose suite.

If you're already a member, click here to log in.

Major Business Pain Points

  • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities and compliance requirements, are rarely comprehensive, and are inefficient to revise and maintain. 
  • End users do not traditionally comply with security policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed. 
  • Adhering to security policies is rarely a priority to users as compliance often feels like an interference in daily workflow.
Develop and Deploy Security Policies-Pain Points


Key Points

  • Policies must be reasonable, auditable, enforceable, and measurable.If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies to be quantified and qualified for them to be relevant. 
  • No published framework is a perfect fit for your organization.One framework (or several) may provide useful guidance in developing your policy suite. From there, figure out what policy items apply to your organization and customize the documents. Otherwise, the policies won’t be enforceable. 
Develop and Deploy Security Policies-Recommendations


  • Short term: Save time and money using the templates provided to create your own customized security policies mapped to ISO 27001 and NIST standards. 
  • Long term: After the initial policy development, minimal updates will be required to ensure the policy remains up to date. Long-term maintenance and compliance of the policy will ensure legal and corporate satisfaction of security measures. 

Methodology and Tools

Executive Brief

Read the concise Executive Brief to find out why you should develop and deploy security policies and review the methodology. 

  • Develop and Deploy Security Policies – Executive Brief
  • Develop and Deploy Security Policies – Phases 1-3

1. Formalize the security policy suite

Determine the policy framework that makes sense for your organization, leverage stakeholder support, and prioritize the development of relevant security policies. 

  • Develop and Deploy Security Policies – Phase 1: Formalize the Security Policy Program
  • Security Policy Prioritization Tool 
  • Information Security Policy Charter Template 

2. Develop the policy suite

Customize the policies to reflect your organizational requirements and acquire approval. 

  • Develop and Deploy Security Policies – Phase 2: Develop the Policy Suite
  • General Security – User Acceptable Use Policy
  • Access Control Policy – NIST 
  • Security Awareness Training Policy – NIST
  • Audit and Accountability Policy – NIST
  • System Configuration Management Policy – NIST 
  • Identification and Authentication Policy – NIST
  • Incident Response Policy – NIST
  • System Maintenance Policy – NIST
  • Media Protection Policy – NIST
  • Personnel Security Policy – NIST
  • Physical Protection Policy – NIST
  • Risk Assessment Policy – NIST
  • Security Assessment Policy – NIST
  • System and Communications Security Policy – NIST
  • System and Information Integrity Policy – NIST 

3. Implement the security policy program 

Ensure proper communication, management, measurement, and continuous maintenance of your security policy suite. 

  • Develop and Deploy Security Policies – Phase 3: Implement the Security Policy Program
  • Policy Communication Plan Template
  • Security Culture Maturity Assessment and Content Development Tool 

All resources on this page are provided to Cyber Leadership Hub members under license from third parties including Info-Tech Research Group Inc, a global leader in providing IT research and advice.