Clear Guidelines for Writing Policy Documents

In response to a recent post, Matt Strusinski asked if I could recommend "steps an organization could implement to ensure that their policies aren't too 'aspirational.'" See https://lnkd.in/eN2MWFzP. Of course! Here are my thoughts: 1. PURPOSE: It is important to remember the purpose of security policies. Typically, those are (1) to promote consistency within the org over time; (2) to document what you are actually doing (which can be important if you end up in litigation). For both reasons it is important policies reflect what the org is CURRENTLY doing. 2. POLICIES v. ROADMAP: The purpose of a policy is not to be aspirational. Future plans should be documented in a separate "roadmap." See https://lnkd.in/eHAqvUzr (better roadmaps). 3. POLICIES v. PROCEDURE: A policy explains WHAT the org does, whereas the procedure explains HOW it does it. Thus, the policy may to "conduct quarterly access reviews." The procedure would explain whose responsibility that is, when they do it, how they do it, and how it is documented. Having the team that will actually perform the procedure prepare the first draft of the procedure will tend to make it more useful. 4. DOCUMENT EXCEPTIONS: Emerson once wrote that "a foolish consistency is the hobgoblin of little minds," so there will be exceptions to almost every rule. It is important, however, that there be a procedure for documenting these exceptions. 5. DISLAIMERS: After an incident, an org may be accused of failing to live up to its own policies. Thus, policies should contain disclaimers, such as to make clear that the org understands the particular policy or control may not be appropriate or feasible in every situation. 6. FEEDBACK: After you have drafted or updated policies, get feedback from the relevant teams. If they tell you that the policy is not currently achievable, adjust the policy so it is not just aspirational. 7. TRAINING: This may come as a shock, but many of your employees won't actually read the policies. Thus, it is important to regularly train your employees on the policy. 8. TRANSLATION: It is even less likely that employees will read policies that are not in their language. Global orgs should have their policies translate into the different languages that their employees read. 9. ANNUAL REVIEW: Policies, Procedures, and Exceptions, should be reviewed and updated at least annually. 10. COMMON POLICIES: Larger organizations commonly have policies such as the following: • Overall information security policy • Identity and access mgmt. • Threat and vulnerability mgmt. • Log mgmt. • Patch mgmt. • Configuration mgmt. • User account mgmt. • Security awareness training and employee obligations • Software/application development security • Bring your own device (BYOD) • Data classification • Data privacy • Data retention • Cloud security • Physical security • Insider threat  Thanks for the suggestion, Matt Strusinski! Appreciate it!

If I had a dollar for every organization I've worked with where the SOPs were good, I wouldn't have a dollar. From my work with companies such as GSK, Novartis, and Pfizer, I hold that: 📋 SOPs must be functional above all else. Their purpose is to help people complete tasks successfully and safely, on time, with expected outcomes. ❌ But most SOPs fail because of: 1. Too Much Information • Every task 20+ steps • Information not concise or focused • Steps containing rationales (belongs in policy docs) • Poor titles that don't indicate task purpose Example of what NOT to do: "Please take a moment to review the testing documentation below." (It's not a favor—just write "Review the testing documentation") 2. Format & Language Issues ⚠️ • Walls of text without reading cues • No white space for visual breaks • Complex words where simple ones work ("utilize" vs "use") • Multiple actions crammed into single steps Real example of what NOT to do: "Remove one packet from the pouch and carefully add all contents to the water sample, swirl the sample until all the reagent dissolves into the solution." (That's 3 separate steps crammed into one!) 3. Structure Problems 🔍 • Steps not chronological • Sections bleeding into each other • Missing process mapping (critical for understanding flow) • Key information (like definitions) buried at the back ✅ The solution starts with three key principles: 1. Map Before Writing 🗺️Process mapping isn't optional; it's the foundation for any usable SOP (like your clinical trials, start with a protocol, not a prayer). 2. Write for Real Use ✍️One action per step, simple language (save the fluff for your cotton swabs). 3. Structure for Success 🎯Put key information where readers need it (hint: definitions belong up front, like your safety goggles). 💡 As I tell my pharma clients: "Will incorporating these concepts make your SOPs longer? Yes, sorry. Will it make them more usable? Yes, not sorry." ⚠️ Because in pharma, unusable SOPs aren't just inefficient—they're a compliance risk (or worse, accident) waiting to happen. Questions? AMA in the comments ⤵︎

Just reviewed your procedures, …and – well – they’re not good… ->they’re either too detailed, turning into a novel, or so vague they leave the reader scratching their head. The secret? Tailoring your procedures to your audience and hitting that "just right" level of detail. Here’s how I try to strike the balance… ->Write for the people executing the procedure. Are they experienced engineers, junior analysts, or cross-functional (HR, Accounting, etc.) teams? Use language and concepts they’ll understand. ->Avoid unnecessary theory or deep background and PLEASE assume a baseline of competence. Outline clear, actionable steps someone ->skilled in the art<- can follow without needing extra guidance. ->Include enough detail to prevent confusion or missteps, but not so much that your procedure becomes heavy to follow or maintain. ->Use concise, active language. Focus on tasks, tools, and outcomes. Every word should add clarity & value to execution. ->Have someone unfamiliar with the procedure try to execute it. If they ask for clarification, refine it. If they finish without questions, you’re close to “goldilocks.” When procedures are done right, they empower your team to act confidently and consistently. Start by writing a procedure to make a peanut butter and jelly sandwich, then have someone follow it and provide feedback. Iterate and improve. #ciso #dpo #MSP #compliance #procedures