The paper discusses the method of developing and the scope of documentation which describes the security policy in the scope referring to the method of personal data processing and the measures for their protection specified in the Regulation of April 29, 2004, by the Minister of Internal Affairs and Administration as regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for personal data processing (Journal of Laws No. 100 item 1024)