A Security Policy is a high-level document that defines the organization’s security objectives, scope, roles and responsibilities, and commitment to protecting information assets. Policies are approved by senior management and establish the foundation for all other security documentation. They state what must be done but not how to do it.
Policies are supported by standards (specific mandatory requirements), procedures (step-by-step instructions), and guidelines (recommended practices). This hierarchy allows policies to remain stable while lower-level documents adapt to changing technology and threats.
CISSP Relevance
Domain 1 (Security and Risk Management) covers policy development, types, and the documentation hierarchy. Understand the difference between regulatory, advisory, and informative policies. Know how policies establish accountability and provide the authority for security activities. Exam questions test policy components and appropriate scope.
SANS provides policy templates at Information Security Policy Templates.
Related terms: Governance, Security Awareness Training