IT Policies

Tips for writing easy-to-understand security policies

In this guest post from Ellen Berry, we find out how to take the best from different styles of writing to generate better compliance with user-friendly policy documentation.

For the amount of writing required of IT professionals in leadership roles, serious writing skills are relegated to low bandwidth electives in IT degree programs surprisingly frequently. At best, an aspiring IT security professional may get some solid technical writing experience in school - and if they're smart, some business writing training as well.

Without decent exposure to journalistic writing, adult learning styles and all-important information design, IT leaders may find themselves struggling to effectively convey important information like security policies and awareness.

Effective Infosec policy writing

A well-written security policy statement:

  • Communicates high-level ground rules and consequences thoroughly yet succinctly
  • Explains both the problem and the solution
  • Emphasizes the degree of importance and relevance
  • Is accessible to employees at all applicable levels of responsibility and reading skill
  • Engages readers through relatable wording and real-world examples
  • Persuades and motivates readers to take ownership of and apply their new knowledge

Elements of engaging technical content

It's the job of the policy writer to do the work for the reader - keep their attention, deliver the message, and compel them to adapt their behavior. The best way to meet this responsibility is to incorporate five elements of writing:

Information Design - The study of how information is organized and presented so that it can be used effectively and efficiently, information design uses visual appearance, content structure, and language that engages the reader and maximizes usability. ID courses are often included in graphic design degrees, but are essential for any profession that is responsible for communicating messages such as security policies well.

Technical writing - Originally defined as writing that explains technology concepts and applications to both technical and nontechnical audiences, technical writing has taken on a much broader scope in recent years. It is often referred to as information development, and covers the documentation and communication of complex messages such as organizational structure, policies, processes, procedures, business models, and financial or data reporting for broad audiences.

Business writing - For the most part, no-frills appearance, lingo-laden language, and stiff statements are no longer considered the fundamentals of good business writing.

Today's business writing pivots on communication rather than pomp and circumstance. The new standards are brevity, clarity, approachability, and structure that highlight key points - all essential to writing effective security policies.

Journalistic writing - In order to take often complex stories and turn them into bite-sized bytes, journalists focus on readability. Journalistic writing meets the reader where they reside rather than requiring them to come to the writer's level.

Structured from most important to least important, with all essential facts in the first paragraph and supportive data following, stories are shared using conversational tone, simple language and visual elements such as charts and call-out boxes. Quotes, photos and examples humanize the content, making it more relatable. Consider how these out-of-the-box elements will appeal to and connect with the readers of policies.

Adult Learning - Well-written security policies incorporate basic instructional design approaches such as:

  • Showing the reader the reason why they need to know or learn something
  • Using familiar experiences as examples
  • Explaining how readers can become involved and be part of decision making
  • Showing the immediate relevance to the reader's work duties and success on the job
  • Centering on the problem and solution rather than on simple description
  • Motivating readers from within by bringing meaning to compliance

Tips for eliciting the desired response to written security policies

  • Focus on high level policy. Save descriptions of "how" for guideline and procedure documentation - stick to "this must be done, and this is why."
  • Organize the content from most important to least. Avoid burying pertinent information such as benefits of compliance or requirements further down in the policy document. State all of the necessary facts in the first two or three sentences.
  • Structure the document around five essential questions. When writing the first paragraph of a policy statement, always include brief answers to the questions: who, what, where, when, and why? Each following paragraph in the document should directly support these answers, and the document is complete when all answers have been sufficiently supported with specifics and examples. (Note: There may be circumstances in which "where" and "when" are best answered in the accompanying guidelines or procedures documentation.)
  • Include both problem and solution. Make it clear what the audiences' roles are in the problem, and show through an example how individuals and groups can take small steps to be part of the solution.
  • Keep the wording simple and approachable. It may be tempting to write policies in an officious and authoritative tone in order to convey the importance of them. Let the problem speak to the importance of the policy, and keep the language more conversational to avoid intimidating readers. Try reading policies out loud to hear how they will sound to those who read them. As an exercise in using more conversational language, try writing a policy statement as a script for a video - once the wording is viewer-friendly, both the written policy and video can be used to communicate policies.
  • Sell the reader. Drive home what benefits retaining the knowledge will bring to the reader. These should be summarized near the beginning and supported with examples.

IT professionals who are in roles that require a lot of writing may wish to consider taking training courses in the kinds of writing described above - whether they be online short programs or full-fledged degrees. These skills will not only enhance employability, but provide a complementary career path for extra stability.

For more guidance on writing effective security policies, check out the SANS Security Policy Project and the InfoSec Reading Room.

Ellen Berry writes about a variety of topics related to education and careers for BrainTrack.


Well done! Thank you very much for professional templates and community edition sesli chat sesli sohbet


I am giving a talk next week on Internet Security for Home users. Due to my background I will start with how a company develops a Security Policy. Can anyone give me some tips about what sort of content should be in a 'Home' Security Policy. My thoughts are that it should be on one page so that non-technical people can understand it. and quickly. For instance, this computer is used equally by myself and my wife, and by our children when they visit. They don't want to be given a multi page doc to absorb before using the computer. I shouldn't have left this so late. Thanks for any thoughts. I might take some Bullet points from the CERT pages on policy.


I think this article points out areas where a number of IT pros struggle and should be addressed. Not only will the organization benefit from better policy writing but the author will benefit from the exercise of improving communication as part of their role. As the author here points out, too often, the expression of technical details to a broad audience takes away from the value of IT as a partner in the overall success of their organizations. Chris Rich Product Manager NetWrix Corporation NetWrix is #1 for Change Auditing: Simple, Lightweight, Affordable


To using formal grammar when writing? I recall learning that when writing (other than to grandma), one should be concise and use correct grammar. When writing to grandma use more casual language and when speaking use colloquial language? I still struggle to communicate complex concepts using more casual language, as you seem to be advising. I'm often trying to get people to understand more general conceptual ideas so they can apply them as needed in their work. Personally, I learn best from formal material. Think of a mathematics proof or the original Kernigan & Ritchie C text. All the relevant information is there and there can be no possible confusion about the meaning because the words and symbols have precise meanings. My difficulty is understanding the way others learn and trying to teach them to think about things in a more abstract way. I'm not trying to put anyone down here, I accept that people are different, I just can't "put myself in their shoes". Perhaps an example will illustrate. I've had a number of people over the year call me for assistance when creating a folder and moving some files into it. The "challenge" is that each time they need to create a folder for a different purpose, or want to work with different file types, they ring again and we repeat the exercise. How does one communicate the more abstract concept so they understand that the type of file, the name of the folder, or what colour the Clients tie is make no difference to the process. PS, Aspergers probably doesn't help!


I understand how this can be a challenge. You might consider using examples and metaphors to explain technological concepts. For example, I use "Tupperware containers" to demonstrate the relationship between larger and smaller folders, and their overall purpose. If someone is having trouble understanding a concept over the phone, consider drawing it for them or showing them a diagram online. Also, teaching folks how to "think like a computer" can help solve many problems at once.

Editor's Picks