What goes into good infosec documentation?

Many organizations struggle to meet compliance requirements for proper documentation.

What are the components of a good policy and procedure document?

Here are some guidelines:

Component Definition Example
Policy A policy is a high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes. We will properly maintain our network and assets
Control Objective Control Objectives are targets or desired conditions designed to ensure that policy intent is met. The organization applies software patches in a timely manner
Standard Standards are formally established requirements regarding processes, actions, and configurations. Systems must be patched within 30 days of the vendor’s release date
Procedure Procedures are a formal method of doing something based on a series of actions conducted in a certain order or manner. Workstations and servers will be patched on (a certain day of each month or week) by (assignment).
Control A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. A vulnerability management plan is developed and implemented
Metric A quantifiable measure that is used to track and assess the status of a specific information security process. % infrastructure assets missing critical/high patches


Your documentation can include many separate documents or a single comprehensive document. There is no right or wrong on the approach as long as each area required by your framework program or compliance mandate has documentation that includes these key elements.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.