Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A policy is a high-level document published by senior management that states intent and direction, defining what must be done to support strategic and security goals.
Policy Definition: A policy is a high-level document published by senior management that states intent and direction, defining what must be done to support strategic and security goals.
Documents published and promulgated by senior management dictating and describing the organization's strategic goals. Policies are high-level statements of management intent, expectations, and direction regarding specific topics. They establish the foundation for an organization's security program, defining what must be done but typically not how to do it. Policies are required by frameworks like ISO 27001, NIST SP 800-53, PCI DSS, and various regulatory requirements. Organizations implement policies through formal documentation, senior leadership approval, regular review cycles, acknowledgment processes, and compliance monitoring. For example, a healthcare organization might establish a comprehensive information security policy suite, including an overarching security policy signed by the CEO, along with supporting policies on data classification, access control, incident response, and acceptable use, each reviewed annually and incorporated into employee training. Related terms: Security policy, Governance, Compliance, Standards, Procedures, Guidelines, Policy framework, Acceptable use policy.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →