Information security policies (ISP) can be seen as a collection of rules, principles, or guidelines that steer the information security actions in organizations. The literature on ISP development discusses ISP from three viewpoints—content, method, and context—which together form the basis of an organization-specific ISP development method. However, previous approaches do not combine these dimensions on a practical level. This article applies Hare’s (1981) theory of critical thinking in a method to support the decision-making needed in ISP development. A list of critical considerations for the ISP development process was created and applied in an action research project. The objective of informed decision-making was realized by creating a method that systematically gathers knowledge of the target organization before selecting rules for it. Supporting critical thinking in the ISP development process resulted in an organization-specific policy.