This study examines the crafting of an information security policy as a process of legitimising. Drawing on organisational research on legitimacy and legitimisation and on 15-month ethnographic study of a multinational corporation that sought to craft a new policy, the study identifies four legitimising strategies employed during policy crafting: (1) inviting participation, (2) embedding into existing practices, (3) advertising and (4) formalising and professionalising. The study conceptualises policy crafting as being constituted through iterative and recursive relationship of legitimising strategies and policy amendments. The study contributes to literature on information security management, on information security policies and on legitimacy.