Abstract

Despite the fact that the formulation and use of information security policies are commonly practiced and that organizations devote significant resources to information security management, it is commonplace that the application of a security policy fails to accomplish its goals. For example, policies may be issued but not reviewed to include new regulatory requirements or business process changes, thereby resulting in neglect of legal responsibilities and policies that are outdated. The main objective of this paper is to provide a roadmap for information security policy development which promotes sustainability. The paper investigates current literature on policy development methods and compares the various approaches. Based on the result of the comparison, an Information Security Policy Development Life Cycle (ISP-DLC) is proposed. The proposed life cycle approach will ensure that organizational security policies are comprehensive, effective and sustainable.