Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Policy

Training Camp • Cybersecurity Glossary

What is Policy?

A policy is a high-level document published by senior management that states intent and direction, defining what must be done to support strategic and security goals.

Glossary > Governance, Risk & Compliance > Policy

Understanding Policy

Documents published and promulgated by senior management dictating and describing the organization's strategic goals. Policies are high-level statements of management intent, expectations, and direction regarding specific topics. They establish the foundation for an organization's security program, defining what must be done but typically not how to do it. Policies are required by frameworks like ISO 27001, NIST SP 800-53, PCI DSS, and various regulatory requirements. Organizations implement policies through formal documentation, senior leadership approval, regular review cycles, acknowledgment processes, and compliance monitoring. For example, a healthcare organization might establish a comprehensive information security policy suite, including an overarching security policy signed by the CEO, along with supporting policies on data classification, access control, incident response, and acceptable use, each reviewed annually and incorporated into employee training. Related terms: Security policy, Governance, Compliance, Standards, Procedures, Guidelines, Policy framework, Acceptable use policy.

Learn More About Policy:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →