diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index f6a92fec98..97c5b21d03 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -114,7 +114,7 @@
       policies, therefore see the man page of
       <command>crypto-policies</command>. All predefined policies are located
       in
-      <filename>/usr/share/crypto-policies/policies<replaceable>NAME</replaceable>.pol</filename>
+      <filename>/usr/share/crypto-policies/policies/<replaceable>NAME</replaceable>.pol</filename>
       and are read-only.
     </para>
   </sect1>
@@ -178,8 +178,8 @@
       <filename>/usr/share/crypto-policies/policies/modules</filename>.
       However, your own subpolicies need to be stored in
       <filename>/etc/crypto-policies/policies/modules</filename> (unless they
-      are packaged) . The name of the subpolicy file must be
-      <replaceable>MODULE</replaceable>.pmod, where
+      are packaged). The name of the subpolicy file must be
+      <filename><replaceable>MODULE</replaceable>.pmod</filename>, where
       <replaceable>MODULE</replaceable> is the name of the subpolicy. It needs
       to be spelled in uppercase letters and without spaces.
     </para>
@@ -216,7 +216,6 @@
             Assuming the current system-wide policy is
             <literal>DEFAULT</literal> and you want to apply the newly created
             subpolicy to <literal>DEFAULT</literal>:
-            command:
           </para>
 <screen>&prompt.root;<command>update-crypto-policies --set DEFAULT:NO-RSA-PSK</command></screen>
         </step>
@@ -226,17 +225,79 @@
             <literal>DEFAULT</literal>:
           </para>
 <screen><command>update-crypto-policies --show</command>
-          DEFAULT:NO-RSA-PSK</screen>
+DEFAULT:NO-RSA-PSK</screen>
         </step>
         <step>
           <para>
             Reboot the system to apply the system-wide policy adjustment to the
-            applications.
+            applications:
           </para>
+<screen>&prompt.root;<command>reboot</command></screen>
         </step>
       </procedure>
     </example>
+  </sect1>
+  <sect1>
+    <title>Creating a new policy from scratch</title>
+
+    <para>
+      Instead of customizing an existing crypto-policy with a subpolicy you can
+      also decide to write a new policy from scratch. You can use any of the
+      predefined policies in
+      <filename>/usr/share/crypto-policies/policies/</filename> as a starting
+      point. However, your own policy file needs to be stored in
+      <filename>/etc/crypto-policies/policies/</filename>. Name your file
+      <filename><replaceable>MY_POLICY</replaceable>.pol</filename>, where
+      <replaceable>MY_POLICY</replaceable> is the name of the policy. Make sure
+      it is owned by &rootuser; and is not writable by non-privileged users.
+    </para>
 
-    <!--todo: add another section how to create a new policy from scratch-->
+    <example xml:id="ex-crypto-policy-custom">
+      <title>Creating a new policy and applying it</title>
+      <para>
+        The following example shows you how to create a new policy based on the
+        <literal>DEFAULT</literal> policy.
+      </para>
+      <procedure>
+        <step>
+          <para>
+            Copy the <literal>DEFAULT</literal> policy to
+            <filename>/etc/crypto-policies/policies/</filename> and rename it:
+          </para>
+<screen>cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/<replaceable>MY_POLICY</replaceable>.pol</screen>
+        </step>
+        <step>
+          <para>
+            Edit the policy as desired and save it.
+          </para>
+        </step>
+        <step>
+          <para>
+            Switch the system to the new policy:
+          </para>
+<screen>&prompt.root;<command>update-crypto-policies --set MY_POLICY</command></screen>
+        </step>
+        <step>
+          <para>
+            Reboot the system to apply the new policy to the
+            applications and running services:
+          </para>
+<screen>&prompt.root;<command>reboot</command></screen>
+        </step>
+        <step>
+          <para>
+            Double-check if the policy is active:
+          </para>
+<screen><command>update-crypto-policies --show</command>
+MY_POLICY</screen>
+        </step>
+        <step>
+          <para>
+            Reboot the system to apply the system-wide policy adjustment to the
+            applications.
+          </para>
+        </step>
+      </procedure>
+    </example>
   </sect1>
 </chapter>