Policy

A policy is a high-level management directive that sets security expectations and intent. It sits at the top of the document hierarchy: policy says what and why, standards say how strictly (mandatory specifics), procedures give step-by-step instructions, and guidelines offer advisory recommendations. Policies are approved by leadership, give the program its authority, and are reviewed at least annually.