An organization is requesting assistance to create a security policy. The organization may or may not have already undergone a security assessment.
Edit me

Organizational Security Policy

Basic guide to help organizations create and implement a security policy


Organizations, especially small ones, often lack written or formal security policies. Because these organizations already exist and do work, they will most likely already have informal practices and policies across the organization. Our aim is to conduct a security assessment in order to better understand their risks and existing work and informal practices, and help them create their own security policies to capture these practices.


First schedule a call with the client and perform a light-weight security assessment with the organization following Article #200.

Once you have conducted the assessment and noted the biggest concerns with the organization, together with the point person of the organization use the following templates to create a draft policy adapted to their priorities:

If the group your working with is not a formal organization, but a grassroots group of volunteers, you might find the template for activists more helpful as a starting point: - Markdown on - .odt on

It is important to note that such a big document can be intimidating to the organization, so incident handlers should follow up closely with the client to clear any doubts and concerns. Consider whether sending the full document at once or if it is better to work on one section at a time and only add more when the previous sections are clear.

When the policy document has reached a satisfactory state, schedule a call with the client to review the full document one last time and make sure they understand and have the means to implement the policies.


Follow the development of SOAP, an organizational security policy generator currently in beta.

Review Safe and Documented for Activism manual (available in English and Spanish), which includes activities to facilitate and generate organizational security policies with organizations.