Evolving Information and Cybersecurity Policies in 2025: Structure, Maturity, and Emerging Trends

As cyber threats accelerate, Information Systems Security Policies (ISSP) are more critical than ever. An ISSP is a strategic document that outlines the principles, objectives, and security measures for an organization’s information systems. It contains high-level, mandatory statements used to define a course of action to govern behavior and address specific systems, methods, or techniques and helps ensure data protection, business continuity, and compliance with legal and regulatory requirements.

A well-designed security policy is key to navigating evolving threats and emerging regulations such as the NIS2 Directive and the Cyber Resilience Act (CRA). Requirements can be sector specific. In healthcare, policies must address compliance requirements and patient data confidentiality, while in finance, policies often focus on fraud prevention and transaction monitoring.

In SANS LDR512: Security Leadership Essentials for Managers, we refer to the Policy Pyramid. Every company has different terminology for the sets of instructions found in the policy pyramid. One large, not-for-profit organization defined the policy pyramid with these terms (Figure 1) Other organizations may decide to use only a few of these instruction sets to govern organizational behaviour. Others might use different terminology.

Effective ISSPs typically include items such as the ones listed below. Specific components may vary by organizations or industry requirements.

• Purpose: A statement describing the reason the policy is being established and any associated goals.
• Scope: Identifies the depth and breadth of coverage (to whom or what the policy applies). Defines the systems, data, and stakeholders covered.
• Security Objectives: Addresses core principles such as confidentiality, integrity, and availability.
• Policy Statement: Outlines what must be done.
• Governance and Roles: Defines responsibilities using tools like a RACI matrix (Responsible, Accountable, Consulted, Informed).
• Exception Handling: Specifies how to handle exceptions to the policy.
• Monitoring and Continuous Improvement: If applicable, includes metrics, KPIs and processes for regular updates.
• Compliance and Legal Framework: Aligns with industry standards and regulations such as GDPR, NIS2, and ISO/IEC 27001.
• Related Documents: The often forgotten but extremely useful “References” that are linked to supporting documents for additional context.

How to Know When Your Policy is Due for an Update

It is important to ensure that outdated policies are updated in alignment with the realities of today's threat landscape. Ransomware, supply chain attacks, and artificial intelligence (AI) threats are increasingly prevalent, especially as we’ve embraced a new way of working with cloud-based remote environments. In turn, our policies must address Software-as-a-Service (SaaS), Bring-Your-Own-Device (BYOD), and hybrid work structures.

Consider a scenario where a company still relies on perimeter-based defenses without accounting for remote work. Such a policy would fail to address risks introduced by unsecured home networks or personal devices accessing corporate data. Most organizations have now built environments based on Zero-Trust Architecture (ZTA). This shift marks a move from perimeter-based to identity-centric security. Organizations utilize more third parties, and as a result modern policy must include vendor risk assessments and contractual security requirements to ensure supply chain integrity.

As previously mentioned, the regulatory landscape has also changed. We have a set of new or updated regulatory requirements such as NIS2, CRA, and sector-specific requirements which must be addressed. NIS2 imposes stricter obligations on risk management, incident reporting, and governance, with high penalties for non-compliance. The CRA requires to focus on secure-by-design products, impacting manufacturers and software providers. As a result, policies must now include supply chain and product lifecycle considerations.

Lastly, we also have new and changing technology. We see the change in cryptography with quantum computing, and with the usage of AI. In the case of quantum computing, we will need to prepare for post-quantum encryption. For AI, we will need to add requirements on what data can be used on public or private Generative AI (GenAI) solutions. By now, most organizations have formally established guidance on the usage of AI, or a responsible usage of AI policy. If not, they should do so as soon as possible.

Stages of Policy Maturity

Organizations evolve in their cyber and information security practices through a series of maturity stages. These stages reflect how well these policies are defined, implemented, and integrated into business operations. In traditional maturity style, we could observe 5 levels.

Figure 2 – Policy Maturity

How to Write and Implement Effective Security Policies

Cybersecurity policies are no longer static documents; they are dynamic and evolve with the threat landscape and business needs. Writing and implementing effective policies requires a strategic, people-centered, and tech-savvy approach.

Start with Business Alignment

An organization’s cybersecurity measures must support its mission. Policies should reflect business priorities, regulatory requirements, and risk tolerance. Involving leadership early ensures alignment and accountability.

Conduct a Risk-Based Assessment

Before drafting policies, assess your assets, threats, and vulnerabilities. Use threat modeling to prioritize what needs protection. Start by reviewing your current policy against recent incidents and regulatory updates. Engage your team in a policy refresh workshop to identify gaps and opportunities.

Develop Clear Policies

Develop concise and understandable for all employees, avoid ambiguous terms like “shall”; use clear directives such as “must” or “must not”.

Implement with a People-First Mindset

Creating a policy isn’t enough. Train employees regularly using engaging that fit in the organizations culture and style. Foster a culture where security is everyone’s responsibility.

Monitor, Audit, and Evolve

Policies are living documents. Use metrics and audits to assess effectiveness. Update regularly based on new threats, business changes, and lessons learned from incidents. Share what you have learned, and why you are updating your policies.

Leverage existing frameworks, research, and work instead of starting from scratch

Writing policies from scratch can be time-consuming, error-prone, and risky. Established frameworks and templates—like those from NIST, ISO/IEC, or CIS—are built on industry best practices, legal standards, and real-world experience. By leveraging these resources, you save time, ensure compliance, and reduce the chance of overlooking critical elements.

The SANS Policy Library created in partnership with the Cyber Risk Foundation (CRF) offers a comprehensive set of customizable templates aligned with industry frameworks like NIST, ISO/IEC, and CIS. Customizing proven templates to fit your organization’s needs is far more efficient than starting from zero. It allows you to focus on implementation and culture, rather than wording and structure. Consider using AI tools to assist in drafting policies—just ensure thorough review before adoption.

Continue Your Journey as a Security Leader

A modern security policy is not just a compliance document—it’s a cornerstone of cyber resilience. If you're ready to deepen your understanding of cybersecurity governance, risk management, and leadership best practices, explore SANS LDR512: Security Leadership Essentials for Managers. This course provides the frameworks, tools, and real-world insights you need to lead with confidence in today’s complex environment.