

Good policies should have five distinct attributes to become a successful and reasonably accepatable organization wide.
Specific: A policy must address a specific issue or objective clearly and thoroughly.
Measureable: To be effective, policy must have some condition of measuring adherence to the control. If people are not adhereing to policy then we may need better controls or perhaps better training program.
Achievable: To follow the policy, employee must have enough resources, tools and training to make policy objectives achieveable
Realistic: How realisticcally can we expect the policy will be followed and employee will be able to achieve his/her business objectives without any issues. This is where there is a need to balance security and availability. The question we need to ask how much should we Lock it Down or Free it Up?
Time Based: Specify when policy takes effect, when review will occurs and when conformance become required
To remember these five attributes here is an acronym “SMART”
Writing Information Security Policies