Policies should be high-level enough to remain relevant over a period of time and need to be "technology-agnostic," Bhimani said. "The point is you can't mandate the use of a specific technology in a policy" without losing the flexibility to accommodate change quickly, he said.

Security policies also need to be easily enforceable to be effective, said Philip Maier, vice president of the information security, emerging technology and network group at Inovant, Visa International Inc.'s IT unit. Therefore, it's a good idea to vet all policies with an enforcement group and subject matter experts to make sure there's a realistic way for them to be enforced, he said.

For multinational companies with global operations, writing security policies that retain the same meaning across different languages can be a challenge, Pask said. A policy written in English for instance, can often lose some of its original meaning in translation, he said.

Similarly, it's important to recognize that words and phrases that are acceptable in the U.S can create problems elsewhere, Maier said. Inovant, for instance, had to replace references to "master" and "slave" systems in one of its policy requirements after the words were found to be objectionable by employees in the company's Asian operations, he said.