What: what is to be protected (the topic)
Who: who is responsible (responsibilities)
Where: where within the organization does the policy reach (scope)
How: how compliance will be monitored (compliance)
When: when does the policy take effect
Why: why the policy was developed
Items 5 (when) and 6 (why) are not usually considered part of the policy text. When a policy is in effect it is normally addressed in the transmittal document. When the policy is published, there is a document that goes with the policy that explains why the policy was developed and when it takes effect. Policies should not contain explanations as to why they were developed or a compliance date.