Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
Home
FAQ
What are policies?

What are policies?

Direct Answer

Policies are high-level statements of management intent, outlining what must be done and why, without detailing exactly step-by-step how.

In general, policies:

  • Influence decisions and guide the organization to achieve the desired outcomes; and
  • Are enforced by standards and are further implemented by procedures to establish actionable and accountable requirements.

Characteristics of strong policies:

  • Endorsed by leadership (C-suite or board);
  • Clearly articulate purpose, scope, responsibilities and objectives; and
  • Serve as foundational mandates, where supporting cybersecurity standards and procedures provide the means to implement the cybersecurity policies.

Unfortunately, for many IT/cybersecurity professionals, when they refer to a “policy” they really mean “standard.” This common misuse of critical documentation components can create a significant amount of confusion, since they are not interchangeable terms. Standards are subordinate to policies and they address the granular requirements needed to satisfy a policy. Therefore, a 1-3 sentence policy statement is acceptable to capture a “high-level statement of management intent” for a specific domain.

  • It is expected to have multiple policies to address cybersecurity and data privacy needs (e.g., access control, data handling, etc.);
  • Policies address the strategic needs of the organization; and
  • There is never a justifiable reason to have an exception to a policy. Exceptions should only be at the standard or procedure level.
Keep Exploring

Relevant ComplianceForge Resources

References

Authoritative Sources