Periodically remind users of the importance of their secure behaviour and what a "secure behaviour" means
The information security policy can be based on a code of conduct, and is centred around confidentiality, integrity and the availability of information within your organization. What do you need to write? What is its role? What does it contain?
Setting the objectives, and then defining and monitoring result indicators, are crucial steps for the management and involvement of staff. These tools should allow you to speak the same language and refer to understandable and well-defined elements.
Ask yourself the following questions:
Are staff knowledgeable about this topic? Do staff know what they need to do, or can(not) do? How do staff use this policy with suppliers?