Let’s be honest. Most employees don’t read your cyber security or privacy policies. Some don’t even know they exist. Others nod earnestly during onboarding, click “I agree” without reading a word, and then promptly go back to doing things exactly the way they always have.
Sound familiar?
Here’s the brutal truth: if your policies are aspirational (ie. filled with lofty intentions and idealistic language that bears no resemblance to what your people actually do) then they’re not helping. In fact, they might be making things worse.
A good policy isn’t about what you wish your team were doing. It’s about what they’re actually doing—right now, today. And if what they’re doing isn’t quite up to scratch, then that’s your starting point.
Write it down. All of it. Even the bits that make you cringe a little.
Because once you’ve documented the reality, you’ve got something solid to work with. Something you can improve. And that, folks, is the heart of a proper compliance program.
It’s also the essence of ISO 27001 and other international standards. They’re not demanding perfection. They’re asking for honesty, documentation and, most importantly, continuous improvement. So, if your team currently stores passwords on Post-it notes, don’t try to spin it into a policy about best-practice secure credential management. Document the Post-it notes (yes, really), and then work towards something better over time.
People resist policies for a few reasons:
So, here’s the fix: write policies that are real. That reflect existing practices. That use plain language. And that make it easy for people to comply.
No one wants to wade through paragraphs of regulatory jargon to find out how to send a secure email. If your policy reads like it was drafted by a lawyer with a thesaurus and a grudge, it’s time to rethink your approach.
Here’s a radical idea: ask your people what they’re doing before you write the policy.
Your IT lead, your HR team, the person at reception who’s been quietly holding your business together since 2009—talk to them. Find out what’s working, what’s not, and what shortcuts they’ve had to invent just to get their job done.
Then, use that insight to build your policy. Not the other way around.
Once it’s drafted, don’t send it around with a bland “please review and provide comments” email. That’s a surefire way to make sure no one reads it. Instead, hold short workshops. Get teams involved. Run scenarios. Bake it into real-life use cases and let people see how it applies to their actual roles.
If something needs changing, that’s fine. Let’s say your incident response process is more ‘reactive chaos’ than ‘structured flowchart’, acknowledge it. Note the gap. Then work with your team to improve it over time.
Trying to leap from chaos to perfection in one policy update never works. What does work? Incremental change, clearly communicated, with everyone on board. That’s the kind of progress that sticks.
At de.iterate, we help companies build better privacy and security practices by starting from the ground up. No fluff, no wishful thinking, just real, usable, standards-aligned processes that people will actually adopt.
Our platform makes it easy to version-control your policies, track who’s read them (and who hasn’t), and map them directly to compliance frameworks like ISO 27001.
Because in the end, the best policy in the world means nothing if it lives in a forgotten folder, unloved and unread.
Let de.iterate help you document the real, improve it over time, and stay compliant while you’re at it.
Book a demo or email us at hello@deiterate.com