First, a security policy document is usually several documents. For example, an organization might need some or all of the following:
An organization might need many more types of policies in addition to these. However, the first and most important policy is a general risk management policy. This should outline what the unique risks are to your organization. To do this, you must start by defining the assets you are interested in protecting. We deal more with that in the following section, "Why a Security Policy Is Necessary."
A policy may be a single document, but is usually several. Not everyone needs to be concerned with all parts of it, so it often makes sense to break it into pieces. There is no rule for how to divide the policy, only to do what is right for your organization. The only thing to ensure is that the policy needs to be accessible to users, and it should be easy to search for the appropriate information. One popular way to publish a policy is on a searchable Web site. This way, when users need to learn about the policy, they can go to a single site and then search for the information they need.