What is Policy?
Policy Definition: Documents published and promulgated by senior management dictating and describing the organizations strategic goals.
Understanding Policy
Documents published and promulgated by senior management dictating and describing the organizations strategic goals. Policies are high-level statements of management intent expectations and direction regarding specific topics. They establish the foundation for an organizations security program defining what must be done but typically not how to do it. Policies are required by frameworks like ISO 27001 NIST SP 800-53 PCI DSS and various regulatory requirements. Organizations implement policies through formal documentation senior leadership approval regular review cycles acknowledgment processes and compliance monitoring. For example a healthcare organization might establish a comprehensive information security policy suite including an overarching security policy signed by the CEO along with supporting policies on data classification access control incident response and acceptable use each reviewed annually and incorporated into employee training. Related terms Security policy Governance Compliance Standards Procedures Guidelines Policy framework Acceptable use policy.