I know this is a general question, but I’ve been having difficulty constructing a methodology on developing information security procedures from a policy that is already in place. I don’t want to write the actual procedures, I want to write the approach to be used to write them, as the specific procedures may vary slightly from client to client.
