How to Write a Cybersecurity Policy That Actually Gets Used
Forty-two per cent of Canadian organizations reported a breach of customer or employee data in 2025 — up from 29 per cent in 2022, according to the 2025 CIRA Cybersecurity Survey. Most of those organizations had a cybersecurity policy on file. The policy was not the problem. The problem was no one followed it, no one enforced it, and no one updated it after the threat environment changed. Writing a cybersecurity policy is not the hard part. Writing one your organization will genuinely use is where most GRC professionals and security leaders fall short.
Why Most Cybersecurity Policies Fail
The most common failure is scope mismatch. A policy written for a 5,000-person government department does not work for a 200-person financial services firm. The controls are disproportionate, the language is bureaucratic, and staff treat the document as a compliance checkbox rather than a guide for action.
The second failure is ownership. When no single person or team owns the policy, no one feels accountable for following it. Policies without owners become documents forgotten in shared drives after the audit closes. The third failure is operational disconnection. Policies written in isolation from the people doing the work — IT staff, operations teams, procurement — produce requirements correct on paper but ignored in practice.
Start With the Right Framework
Before writing a single sentence of policy, your organization needs a framework to build against. For most Canadian organizations, the right starting point is the CCCS Baseline Cyber Security Controls for Small and Medium Organizations, published by the Canadian Centre for Cyber Security (CCCS). This document follows the 80/20 principle — it identifies the controls delivering the greatest security benefit for the least implementation effort. It is the practical foundation for any cybersecurity policy written for a Canadian audience.
Government departments and federal agencies work from ITSG-33, the CCCS’s IT Security Risk Management lifecycle standard. If your organization operates in the federal supply chain or works with National Defence, the Canadian Program for Cyber Security Certification (CPCSC) now sets baseline requirements at Level 1, with defence contracts beginning to require compliance in summer 2026.
If you operate in critical infrastructure — utilities, healthcare, finance, transportation — the CCCS Cyber Security Readiness Goals (CRGs) provide sector-specific guidance organized around six pillars. NIST CSF 2.0 is a useful international reference, but CCCS frameworks take precedence for Canadian-context policy work.
The Core Elements Every Policy Needs
A functional cybersecurity policy is not a catalogue of controls. It is a document answering four questions: what you are protecting, who is responsible for protecting it, what behaviour is required of everyone in the organization, and what happens when something goes wrong.
Start with scope and asset classification. Your policy must state clearly which systems, data, and processes fall under its requirements. Without this, employees do not know when the policy applies to them.
Define roles and responsibilities in plain language. Who owns data? Who approves access? Who declares an incident? These are not abstract governance questions — they determine who picks up the phone at 2 a.m. when a breach is detected. Assign named roles, not generic titles.
Include specific requirements for access control, acceptable use, incident response, and third-party vendor risk. These are the four areas where policy gaps most often lead to breaches. The 2025 CIRA data reinforces this: 74 per cent of organizations hit by ransomware paid the ransom, averaging $25,000 per incident. Many of those incidents traced back to inadequate access controls and unmanaged vendor connections.
Include a breach notification protocol aligned with PIPEDA obligations. Under federal privacy law, your organization must report breaches involving real risk of significant harm to the Office of the Privacy Commissioner and to affected individuals. Your policy should define the internal escalation path, the timeline, and who is authorized to communicate externally.
Write for the People Who Will Use It
Every policy section should answer the question: what does this mean for someone in this role? Write requirements in active voice. State what must happen, not what is advisable or recommended. “Employees must use multi-factor authentication for all remote access” is enforceable. “Employees are encouraged to adopt MFA where feasible” is not.
Keep sections short. A policy taking two hours to read will not be read. Aim for a document your staff absorbs in 20 minutes, with role-specific supplements for IT, HR, and leadership going into greater operational depth.
Build in a Review Cycle
A cybersecurity policy written in 2024 and left unchanged through 2026 is already out of date. The threat environment in Canada has shifted. AI-enabled phishing is now widespread. Supply chain attacks have grown in frequency. Defence contractors face new CPCSC certification timelines. Your policy must have a documented annual review process with a named owner, a review date, and a change log.
Tie review triggers to events, not only calendars. Any significant incident, major technology change, new regulatory requirement, or third-party audit finding should prompt a policy review regardless of when the last scheduled review occurred.
Training Ties the Policy to Daily Behaviour
A policy without training is a document. With training, it becomes an operating standard. Role-based training ensures staff understand what the policy requires of them specifically — not in the abstract. Awareness-level training for general staff and technical training for security and IT teams serve different purposes and must be designed separately.
Professionals responsible for building, managing, or auditing cybersecurity programs need formal credentials to do this work effectively. The Certified Information Security Risk Manager (CISRM) certification builds the skills to assess organizational risk and translate it into policy controls. The Certified Information Systems Security Manager (CISSM) prepares security managers to govern programs, oversee compliance, and communicate policy requirements to leadership and staff. Both are structured, role-based programs aligned to real governance responsibilities.
Your cybersecurity policy will not protect your organization sitting in a folder. Write it to be used. Assign someone to own it. Train your staff on what it requires. Build in the review cycle to keep it current. Those are the standards your organization needs to meet right now.
