Security policies and requirements are drafted to address the risks identified. Security measures are then selected to implement these policies and requirements. All these form part of the security plan. You must include a series of individual statements in a well written set of security policies and requirements. They include:
1. Each statement should be numbered - This allows cross-referencing the requirement statement to implementation features.
2. The statements should be written in a way that we are able to test the implementation to determine whether the requirement is true
3. Make sure to phrase the statement in a positive and specific sense
