Mastering Mandates: The Power of 'Shall, Will, Should' in Security Policies

The policy statement is the core of the cybersecurity policy document. It is the policy statement that provides the direction, requirement, or order for the minimum security controls of systems and behaviors of people. Therefore it is paramount to craft the policy statement in clear and concise language.

In this article I address the use of the terms: shall, should, will, and must.

Information security policies are a collection of requirements for the organization, organizational roles, and information systems. Policy statements, as the embodiment of these requirements, need to use mandatory terms. Although many terms have been used throughout information security policies in the industry, it is strongly recommended that use of terms be limited to a defined and clear set used consistently throughout the document. The following terms are recommended:

• Shall – This term is used to indicate a requirement, meaning that it must be implemented. Statements that use the term “shall” are mandatory, requirements, and verifiable in a contractual relationship. In many circles (including the ISO community) statements without the word “shall” are not requirements.
• Will – This term is used to indicate a statement of fact or that will be true in the future. Statements that use the term “will” are not verifiable in a contract as they are simply a statement of fact (i.e., it is already happening). Limit the use of this term to conditions that are already in place. For example, if a background check is currently run for all employees it is acceptable to use the statement: “Background checks will be performed on all employees as part of the screening process.” Be aware that the use of the term “will” does not indicate a requirement and is therefore not verifiable in a contractual relationship.
• Should – This term is used to indicate a non-mandatory goal that is to be addressed but not formally verified. In general policy statements would not contain the term “should” because it is not a requirement. However, there are sometimes important issues that are not verifiable that you still want to convey to the audience. For example, requiring the application of system engineering principles throughout the lifecycle of an information system is a difficult statement to verify yet it is still an important issue that needs to be communicated. Therefore it would be appropriate to use the “should” term in the policy statement. E.g., “The organization should apply information system engineering principles in the specification, design, development, implementation, and modification of the information system.”
• Avoid the term “Must” – The term “must” is generally intended to have the same definition as “shall” but contractually the term “shall” is generally accepted. In fact the term “shall” has been held up in court whereas the term “must” has not. One of the meanings of the term “must” is synonymous with “ought” and “should”. Yes, the term “must” sounds stronger and more natural than the term “shall” but when writing policy statements stick with the terms “shall”, “will”, and “should”.