The following are some suggested sections that a policy document should include:
- Introduction: A brief overview of the policy
- Purpose: A brief outline the overall strategy for the policy and why it was implemented.
- Scope: Define which employees, departments and businesses are covered. If the policy is for a large complex organization state whether temporaries and consultants are subject to the policy. Also address vendors, partnerships and businesses where your company is not the sole shareholder.
- Roles and Responsibilities: Who is responsible for implementing the policy, monitoring compliance, providing any necessary training, handling and approving exceptions, etc. Do not ignore this section, for more times than not Policies are approved without funding and dedicated resources for training, policy maintenance, guideline support, etc.
- Policy: These are the actual requirements for compliance
- Exceptions and Deviations: In a complex organization, the exception is often the rule. You will need to create a process for businesses to obtain permission to use practice, procedures or systems that do not meet the policy requirements. As part of this process you will need to designate who needs to approve these exceptions.
- Procedures: In many cases you will need to provide suggested practices and procedures, guidelines or implementation manuals to ensure that the businesses implement the policy correctly. Avoid placing these detailed procedures in the body of the policy. Either put the procedures in an appendix or a separate document.
- Compliance and Testing: Outline the processes or control indicators by which the businesses will monitor compliance with the policy. In addition, the policy should guide the business in what controls should be tested.
- References: Any legal or regulatory sources for the policy, along with helpful links and related documents.
- Revisions: Document ongoing changes. For a complex policy, it is always helpful to provide users with a Track Changes document or specific references to what was changed in the most recent revision.
- Definitions: There is a tendency in IS policies to rely on acronyms and "tech speak". Make sure you include a thorough set of definitions for the uninitiated.