Effective and risk-free operation of modern information systems relies heavily on security practices and overall information security management. Usually, organizations perform risk analysis in order to adjust their security practices and controls to an acceptable level of risk. One of the various outputs of a risk analysis is a set of recommended practices expressed in high-level statements of a natural language. In order to be applied to the real world, it is necessary to technically implement those requirements tailored to the specific organizational context. This is usually performed by experienced individuals. For this technical implementation and the configuration of the information technology facilities, several formal policy languages exist, which define access control policies, roles and responsibilities. This paper describes requirements for a software tool that could assist in the transition from high-level security requirements to a formal, well-defined policy language. Such a tool would provide valuable assistance and support in both policy implementation and overall security management.