Home > Glossary > Certified in Cybersecurity > Security Policy

📖 What is Security Policy?

A Security Policy is a high-level document that outlines an organization's security requirements, goals, and overall approach to protecting its assets. It serves as the foundational governance document that mandates security behaviors and provides the authority for all other security controls.

🥋 Sensei Says:

"Policies describe "what" needs to happen and are usually signed by senior management; they are not meant to be step-by-step technical instructions."

📚 Certification: Certified in Cybersecurity (CC)

🔑 What are the Key Concepts of Security Policy?

▸ Senior management approval is essential as it provides the necessary authority and organizational buy-in to enforce security mandates across the company.
▸ Policies focus on high-level goals and requirements ('the what') rather than specific technical implementation steps or detailed instructions ('the how').
▸ They serve as the foundation for all other security documentation, including standards, guidelines, and procedures, ensuring a consistent security posture.
▸ Regular reviews and updates are required to ensure the policy remains aligned with evolving business objectives, legal regulations, and the threat landscape.
▸ Policies establish the legal and administrative basis for disciplinary action when employees or contractors fail to comply with security requirements.

🎯 How does Security Policy appear on the CC Exam?

You may be asked to distinguish between a policy, a standard, and a procedure given a specific document excerpt, requiring you to identify the high-level mandate.

A scenario might describe a company failing to enforce security rules; you must identify that a lack of senior management-approved policy is the root cause.

Expect questions where you must determine which document provides the overarching authority for the implementation of specific technical controls like encryption or MFA.

❓ Frequently Asked Questions

What is the practical difference between a security policy and a security procedure?

A policy is a high-level mandate stating 'what' must be done (e.g., 'Passwords must be strong'), while a procedure is a step-by-step guide on 'how' to do it (e.g., 'Click Settings > Change Password').

Why can't a security policy just be written and approved by the IT department?

Policies require senior management approval to ensure they align with business goals and to provide the administrative authority needed to enforce compliance across all departments, not just IT.

Related Terms from Certified in Cybersecurity

Incident Containment Due Care Risk Avoidance Air Gap Availability Least Privilege

📝 Related Study Guides

Study Guide 8 min read

ISC2 CC Certification Guide: Your Free Entry into Cyber

The ISC2 Certified in Cybersecurity (CC) is a free, entry-level certification designed for beginners. It covers five core domains—Security Principles, BCP/DR, Access Control, Network Security, and Security Operations—via a 100-question exam. It's the ideal starting point for career changers to build a foundation without financial barriers.

Exam Tips 8 min read

ISC2 CC Exam Domains: What You Need to Know to Pass

The ISC2 CC exam consists of five domains: Security Principles, Business Continuity (BC), Disaster Recovery (DR), and Incident Response (IR), Access Controls, Network Security, and Security Operations. To pass, you must master the CIA Triad and security governance, while prioritizing high-weight domains through targeted practice and domain-specific analytics.

Deep Dive 10 min read

Mastering the CIA Triad for ISC2 CC: A Deep Dive

The CIA triad is the foundational model of information security, consisting of Confidentiality (preventing unauthorized access), Integrity (ensuring data accuracy and consistency), and Availability (guaranteeing reliable access to resources). Balancing these three pillars allows security professionals to manage risk effectively and protect organizational assets against diverse cyber threats.