Who should develop information security policies?

Ideally, information security policies should be developed by a small team.  While there are no hard-and-fast rules, it is essential that at least one of the authors of written security policies has specific expertise in the field of information security.  Information security uses specific terminology that has been developed over years to help reduce the risks to an organization.     For example, it is not appropriate to simply copy a template of pre-written information security policies and adopt this for the organization.  The policy author (and all those responsible for approving the policies) must understand what is implied by these written information security policies.   Adopting policies without the ability to enforce them often creates even more risk for the organization that not having policies at all.

Another ideal team member would include someone with strong writing skills, such as a technical writer.  Written security policies are designed to be read and understood by people both inside and outside of the organization.  Policies written by legal or highly-technical professionals are often difficult to read and understand.

Finally, the team should include with a strong background in information technology.  In most cases, the policies imply that one or more individuals in the organization perform specific actions to implement the security policies on various technologies.  (For example, enabling logging controls on an IT server or configuring a network firewall.) After all, information security policies are designed to protect information and systems.  So a deep knowledge of IT is essential in crafting policies that will be meaningful within the organization.