Common Issues with Security Policy Implementation

calendar Oct 29, 2025 / · 4 min read · security policy policy implementation security awareness organizational change clean desk physical security culture change compliance  ·
Share on: linkedin copy

Common Issues with Security Policy Implementation

Original Query

Discuss common issues with implementation of security policies and Discuss include common issues and possible mitigations to ensure policy can be enforced.

Common Implementation Issues

Implementation issues happen with security policies. Some of the common implementation issues, as described by Johnson (2014) are organization structure, fitting policies to leaders and targeting early adopters. The implementation of the policy has to take into account the type of organization, how large or small the organization is and what kind of technology is in use. One leader may present a security policy in a team meeting or town hall while another leader may be more hierarchical in the approach by holding a series of group meetings.

Early Adopter Strategy

Another method to assist in policy implementation or change is finding an early adopter within the organization as Johnson (2014) points out. The security team early adopter rolls out the policy ahead of the planned rollout as a pilot and a way to mitigate policy enforcement. By piloting the policy with a small sub-set of the organization the security team can learn about and overcome concerns and objections. Then when the rollout occurs, these concerns and objections already have answers or have been worked into the rollout plan by the security team.

Communication and Organizational Culture

Communications with the people and not treating them like a box on an organizational chart is another important way to ensure policies are accepted and enforced as Johnson (2014) points out. The security team must listen, accept suggestions and understand concerns and apathy from organization team members towards the information security policies that are rolled out.

Changing an organization's culture and users' perceptions relating to policy implementation in an organization is not a one-time event. Releasing security policies does not change attitudes. Cultural change comes from having a clear value message that is demonstrated daily. Culture is changed in small increments. A well planned step-by-step approach to implementing policies is needed.

Practical Security Awareness Examples

Two examples of security awareness at the offices are physical security training and clean desk policy. At the end of last year, the organization focused on physical security awareness. They had a speaker come in and give a lecture on how to handle an active aggressor awareness training. The speaker A.J. DeAndrea, a member of the Jefferson County SWAT Team in Colorado and a first responder at the Columbine High School shooting came to talk about how to respond to active aggressors, specifically what to do in the unlikely event of an active shooter.

Clean Desk Campaign

This year the security campaign is focusing on the policy of keeping a clean desk. The organization have laminated cards and put them on each desk.

On first half of the card: "This has been sanitized." Security… a team effort and an individual responsibility

On the second half of the card: Before you leave….

  • Tidy your desk
  • Lock your screen
  • Secure business sensitive documents.

Clean desk – It's a best practice.

The CIO of the company kicked off the 'Clean Desk' Campaign. The email outlined maintaining a clean desk is not only ISO 27001 compliant, but it also complies with basic privacy and security principles. The company plan to give awards for the cleanest desk in an area. These awareness security programs assist in team members embracing security in the organization. These security awareness programs assist in security awareness and driving a culture of change to get team members to embrace security awareness in everyday activities and understand the importance of security policies.

References

  • Johnson, M. E. (2014). Information Security Policy Implementation - This research discusses organizational factors affecting security policy implementation including organizational structure, leadership approaches, and early adopter strategies. Available through ResearchGate and academic databases.
  • ISO/IEC 27001 Information Security Management - International standard for information security management systems that includes requirements for clean desk policies and physical security controls. Official ISO standards can be purchased from ISO.org.

Posts in this series