How To Build Security Policies That Staff Actually Follow

by

Many security policies fail because they are written for auditors rather than for the people who need to follow them. If you’ve ever read one chances are you found it long, repetitive, and full of vague statements.A small organisation needs short, precise, and realistic policies that staff can understand and apply. In this article I explain how to create that kind of policy set.

1. Decide what you actually want staff to do

Before writing a single sentence, list the behaviours you need from staff, for example:

  • How staff handle customer data.
  • How they work remotely and use personal devices.
  • How they manage passwords and accounts.
  • How they report incidents or suspicious events.

Policies should describe these behaviours clearly instead of repeating generic lines about “industry best practice”.

2. Limit each policy to a small number of pages

A practical rule for a small organisation is simple:

  • Core policies: one to three pages each.
  • Procedures: short, numbered steps or checklists.

If a policy reaches ten pages, it is almost guaranteed that staff will not read it. So keep it short!

3. Use plain language and concrete examples

Replace abstract statements with clear instructions, for example:

  • Instead of: “Users must use strong passwords”
    Use: “Use a password manager and create a unique passphrase for each system.”
  • Instead of: “Sensitive data must be stored appropriately”
    Use: “Customer data must only be stored on company managed systems, not on personal laptops or USB sticks.”

4. Align policies with real technical controls

Policies should not promise what your systems cannot enforce. For example, if your email platform does not support certain features, do not write them into policy as if they exist.

Start by documenting what you already do technically, then tighten and extend that with clear boundaries.

5. Define consequences proportionately

Staff need to understand that policies matter, but they should not feel threatened for honest mistakes. A graded approach helps:

  • Coaching and retraining for first time or low impact issues.
  • Formal warnings where behaviour is repeated or negligent.
  • Stronger measures only for serious or deliberate breaches.

6. Introduce policies as part of a conversation

Simply emailing a PDF and asking staff to sign is not enough. Introduce key points in short briefings or team meetings and explain:

  • Why the policy exists.
  • What has changed compared to previous practice.
  • Where staff can ask questions or raise concerns.

7. Review and refine annually

Policies should be updated as your systems and ways of working change. An annual review is enough for many small organisations, with interim updates if there is a major change in technology or regulation.

From templates to a living set of expectations

Good policy work does not require hundreds of pages. It requires clear thinking, concise wording, and alignment with how your organisation actually operates. Within the Baseline Security Sprint, policy work is kept compact and tied directly to technical and procedural changes, so that expectations match reality.

Next step: if you would like a short, focused review of your current policies with an updated, practical set that staff can follow, you may find it useful to explore how that fits into a sprint style engagement.

Further Reading