What is a security policy?

Q: What is a security policy?

A security policy is a formal document that defines an organization's security requirements, rules, and responsibilities.

D1 · General · CompTIA Security+ SY0-701

A security policy is a high-level formal document that defines an organization's overall approach to information security — articulating management's intent, security requirements, roles and responsibilities, and the consequences of non-compliance.

Policy hierarchy: Policy (high-level, why) → Standard (specific requirements, what) → Guideline (recommendations, how — optional) → Procedure (step-by-step instructions, how exactly).

Examples: Acceptable Use Policy (AUP), Password Policy, Data Classification Policy, BYOD Policy.

Know the policy hierarchy: Policy → Standard → Guideline → Procedure. Policies are mandatory (enforced). Guidelines are recommendations (optional). An AUP defines acceptable use of company systems and is typically required of all employees. Security policies must be reviewed and updated regularly.

← Back to Glossary Practice Questions →

What is a security policy?

// Related Terms