Abstract: | An information security policy is a most vital and therefore essential part of any organisation’s set of controls. Yet most organisations have poorly written policies. This paper examines the possible shortfalls of policy writings. Starting from the meaning and etymological roots of the word, the theory behind particular structures is discussed. The case is made for a single policy, many standards hierarchy. Structural and linguistic considerations including a sample statement hierarchy provide 2 practical suggestions on how to build such a hierarchy. Authorship considerations and some fine details on how to convey the will and purpose of the signatories complete the paper. |