📖 What is Policy?
A policy is a high-level statement of management’s commitment to information security, outlining principles and expectations. It provides a directional framework for decision-making and establishes acceptable behavior regarding information assets, requiring consistent enforcement across the organization.
"Policies set the ‘what’ and ‘why’ of security. They are supported by standards (the ‘how’) and procedures (step-by-step instructions). The exam will test your ability to differentiate between these elements and understand their hierarchical relationship. Avoid selecting procedures when a policy is required."
📚 Certification: Certified Information Security Manager (CISM)
🔑 What are the Key Concepts of Policy?
- ▸ Policies are foundational documents defining acceptable use and risk tolerance, setting the tone for the entire information security program.
- ▸ Effective policies are approved by management and communicated to all relevant personnel, ensuring awareness and accountability.
- ▸ Policies should be regularly reviewed and updated to reflect changes in the business, technology, and threat landscape.
- ▸ Policies are distinct from standards and procedures; policies state *what* is to be done, while standards define *how* and procedures detail *steps*.
- ▸ Enforcement of policies is crucial; without consistent enforcement, a policy is merely a statement of intent and lacks practical value.
🎯 How does Policy appear on the CISM Exam?
You may be asked to identify which document – a policy, standard, or procedure – is most appropriate for addressing a high-level risk related to data privacy.
A scenario might describe a security incident caused by a lack of clarity in acceptable use guidelines – determine if the root cause is a policy deficiency.
Expect questions about the correct order of documentation within an information security framework, specifically the hierarchy of policies, standards, and procedures.
❓ Frequently Asked Questions
What’s the difference between a policy and a standard, and why does it matter on the exam?
A policy states *what* needs to be done, while a standard details *how* to achieve it. The exam often tests your ability to distinguish between these, presenting scenarios where choosing the wrong one indicates a misunderstanding of governance.
How often should information security policies be reviewed and updated?
Policies should be reviewed at least annually, or more frequently if there are significant changes to the organization, its technology, or the threat landscape. Failing to keep policies current is a common exam gotcha.
If a procedure is violated, does that automatically mean a policy was broken?
Not necessarily. A procedure violation indicates a failure in execution, but doesn't always mean the underlying policy is flawed. However, repeated procedure violations *can* signal a policy needs revision.