Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Communicating the existence of new policies and changes to existing ones is a critical part of policy lifecycle management. This piece explains the importance of developing and implementing a policy communication plan with clear, concise language that
includes multiple communication channels and is tailored to the audience.
Policies and standards should be regularly updated to address the changing nature of business and technology threats. But when these documents change, it’s also important to communicate these changes in a way employees easily understand. A communication
plan can help ensure the right messages get to the right people in a timely and efficient manner.
Clear communication about a new or changing policy starts with a clearly written policy or standard. Documents should be easy to read and understand, which means using clear language and avoiding technical jargon. Requirements should be unambiguous, measurable
and actionable. A few components of a well-written policy include:
Don’t forget there may be important considerations when implementing a policy or standard, including legacy technology or budget and resource constraints. A well-crafted policy helps employees understand their role in securing the organization,
but it also aligns with realistic implementation expectations and timeframes. Ensure you have an exception process that allows for these situations but also informs senior management where policy has not been implemented. Too many exceptions may mean
a policy is over-restrictive or unrealistic.
READ: Build a Stronger Security Culture with a BISO
While you may think the policy itself can serve as the primary communication, this usually is not the case. Policies can be lengthy and full of boilerplate language that can be difficult for people to quickly understand and digest. If policies are updated
frequently, it may also be hard for employees to keep track of changes. A more effective approach is to develop a communication plan that details which employees you will communicate with, what you will say to them and what method you will use to
A communication plan helps ensure timely and efficient dissemination of information and can help prevent misunderstandings among departments or individuals. A clear and structured process also helps ensure the right people understand new or changing requirements
as quickly as possible.
A good communication plan considers:
After a policy has been communicated, establish metrics to measure whether employees understand the requirements and are compliant. This can be done through surveys, focus groups or exception requests.
READ: Create a Security Charter Committee to Align with the Business
Communication with large groups of employees can be challenging. Many people have busy schedules and other requirements they need to follow to perform their jobs effectively. Start by storing policies in a central location so employees can find them easily.
This could be on the company’s intranet site, shared drive or policy library. Many GRC tools provide policy libraries for storing and distributing documents, and they can also help with version
Other common issues include:
By clearly articulating expectations, policy owners can help ensure employees are informed about policy updates and can easily access the information they need.
Communicating policy changes is an important part of policy lifecycle management. Take the time to develop and implement a communication plan with clear, concise language that includes multiple communication channels. To be the most effective, remember
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.