To address the "insider" threat to information and information systems, an information security policy is frequently recommended as an organisational measure. However, having a policy in place does not necessarily guarantee information security. Employees poor compliance with information security policies is a perennial problem for many organisations. It has been shown that approximately half of all security breaches caused by insiders are accidental, which means that one can question the usefulness of current information security policies. We therefore propose eight tentative quality criteria in order to support the formulation of information security policies that are practical from the employees perspective. These criteria have been developed using practice-based discourse analysis on three information security policy documents from a health care organisation. (C) 2016 Elsevier Ltd. All rights reserved.