Style Guide to Creating Good Policies

by Sarah Harvey / May 19th, 2015

Countless regulatory compliance and client requirements depend on clear and appropriate policies and procedures to demonstrate how organizations are conducting their business. Without defined policies and procedures, you face the threat of heavy fines from regulatory governing bodies, loss of business, or loss of data. As auditors, we find that many of our own clients struggle with understanding the organization of a policy, what does belong in a policy, what doesn’t belong in a policy, and the writing style and content of a policy.

What are Policies and Procedures?

Understanding how to write a policy starts with first understanding what a policy is. According to Merriam-Webster, a policy is “a definite course or method of action…to guide and determine present and future decisions; a high-level overall plan embracing the general goals and acceptable procedures…” In terms of our world, this means what employees must do or not do, directions, limits, principles, and guides for decision making – all representing mandatory rules that must be enforced. Simply put, it’s the law at your organization. To differentiate between what a policy is and what a procedure is you must consider policies to be what you do, and procedures are instructions on how you execute that policy.

Example Policies and Procedures

Companies collect, store, process and transmit a large amount of sensitive information – about their employees, business, and their clients. This information can be personally identifiable information such as credit card numbers, or social security numbers, patient records, company secrets and intellectual property, and more.

An example of a policy that would address the physical security of this kind of information would be something like this:

All visitors must sign in at the front desk in the Visitor Log and present two forms of identification, wear a badge the entire time they are on the property, be escorted by personnel throughout the facility at all times, and sign out when leaving the facility.

And the procedure for that policy would look something like this:

Front desk employee collects two forms of picture ID. Visitor is required to sign Visitor Log and include name, date, time-in, time-out, and reason for visiting. Visitor badges are issued by appointed personnel. They are easily distinguishable from employee badges. Visitor badges are collected by a front desk employee upon exit. Appointed personnel is required to escort the visitor at all times while on company premise.

Why You Need Policies and Procedures

As organizations, we need policies. We need defined rules. We mainly need them to control risks to our business assets, but to also have a common understanding and language to create consistency among the culture of our organizations. Imagine trying to train a new hire without a list of policies that give clear instruction for how to do a certain job? How can you successfully defend your actions if you don’t have a policy to refer back to showing that you did what you were supposed to do? Policies are also necessary for compliance with most regulatory and information security frameworks.

Creating a New Policy

There are several components that go into the creation of a new policy. The format and content requirements, policy approval requirements, annual policy review requirements (at a minimum), dissemination of a policy, enforcement of a policy, and the roles and responsibilities within a policy. Policies should have a standard format and structure that often include a title, who owns the policy, when the policy becomes effective, which version that it supersedes, and who approved the policy. The organization of a policy, as a general rule, includes the background and purpose of a policy, scope, the actual policy statement communicating what are the rules, roles and responsibilities of those that may be referred to in the policy, references to other policies or procedures that are interrelated, a glossary of any terms that were used, and a revision log showing the history of the review and update process of a policy.

What to Include in Your Policies

Not sure what goes into a policy? Policies can be rules, acceptable or unacceptable behaviors, limits, approval authorities (who needs to approve a decision – expense reports, discounts, etc.), consequences for non-compliance (whether it would be subject to termination), who needs to know, and how it is managed. Things that don’t belong in a policy are things like procedures. The step-by-step should be separated from the policy itself. Also, policies aren’t aspirational, so if you’re not doing something today, don’t make the policy say you’re doing something you plan to do next year. Policies are also not a place for repetitive information that collide with other policies.

Policy Writing Style

The last piece to creating good policies is understanding the writing style and the content of a policy. Policy writing style guidelines suggest that the policy title should fully characterize the content in the policy. This will allow the table of contents to be clear and concise, knowing immediately what each policy entails and who it refers to. Some examples of this would be a “Change Management Policy”, “Remote Access Policy”, “Personal Device Policy”, etc. Policies should be written in an organized way for easy navigation and should follow the natural business flow (first this, then this). When writing policies always be clear, concise, and direct, keeping it simple and making sure to not be too wordy. Another important thing to remember when crafting the language of your policies is that policies are rules, so write them as such. Use words like “will” and “must” instead of “should” to leave zero doubt. Using active voice and present tense allows you to be positive and directive. It’s important to be factual, but even more important to be accurate with your facts, so check them twice. Each department specific terms used in a policy should be properly defined and located in the glossary. You must be in the mindset of someone on the outside. If they were reading this for the first time, would they understand what the policy is referring to? Acronyms should be spelled out the first time they are mentioned in a policy and then included in the glossary.

After your policies are written, they should go through the appropriate approval process. Who has the authority to approve this kind of policy? Management? Board of Directors? Vice President? The approval process should happen with new policies, as well as with the (at a minimum) annual review of all policies, to ensure that your policies still apply and are accurate and up to date. Once policies are clearly defined and approved, they must be appropriately disseminated to all appropriate personnel, and stored somewhere everyone can have easy access to them such as the intranet.

For additional resources and advice on creating your own set of policies and procedures, contact us today.

More Resources

Quickstart to Information Security Policies for Startups

Auditor Insights: Policies and Procedures are Better Than Gold

15 Must-Have Information Security Policies