Policies are used to establish governance. Without governance, how would your employees know what to do in certain situations? Policies also show intent such as the organization will encrypt all laptops or securely dispose of sensitive information. Policies are meant to show the why of performing a task without going into detail on how to do it.

Typically, policies are high-level. These documents are written in such a way that would allow anyone in the organization to review its contents. Policies must also be written in such a way that the document could be placed in an open forum without the fear of repercussions. This also means that anyone can consume a policy without the requirement of signing an NDA.

Policies can also be used to provide a vocabulary of terms being used throughout the rest of the policy documents. For example, a policy could detail what separation of duties or least privilege means to the organization. Remember, we do not detail the what or the how, those are left up to standards and procedures.

An example of a policy: 100.00-Information Security Policy

Next Section