A policy contains high level statements of management intent, where a policy is a formal, authoritative document that articulates an organization's position, expectations and guiding principles on a particular subject (e.g., cybersecurity or privacy):
- Policies are high-level statements of management intent from an organization’s executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes.
- Policies are enforced by standards and further implemented by procedures to establish actionable and accountable requirements.
- Policies are a business decision, not a technical one. Technology determines how policies are implemented.
- Policies usually exist to satisfy an external requirement (e.g., law, regulation and/or contract).
