Good policies should have five distinct attributes to become a successful and reasonably accepatable organization wide.

Specific: A policy must address a specific issue or objective clearly and thoroughly.

Measureable: To be effective, policy must have some condition of measuring adherence to the control. If people are not adhereing to policy then we may need better controls or perhaps better training program.

Achievable: To follow the policy, employee must have enough resources, tools and training to make policy objectives achieveable

Realistic: How realisticcally can we expect the policy will be followed and employee will be able to achieve his/her business objectives without any issues. This is where there is a need to balance security and availability. The question we need to ask how much should we Lock it Down or Free it Up?

Time Based: Specify when policy takes effect, when review will occurs and when conformance become required

To remember these five attributes here is an acronym “SMART”

Writing Information Security Policies