From the course: Certified Information Security Manager (CISM) Cert Prep (2022): 1 Information Security Governance

Security policy framework

- [Instructor] Security professionals do a lot of writing. We need clearly written guidance to help communicate to business leaders and users and each other about security expectations and responsibilities. In some cases, we're setting forth mandatory rules that everyone in the organization must follow while in other cases, we're simply giving advice. Each of these roles requires communicating a little bit differently, that's where the Security Policy Framework comes into play. Most security professionals recognize a framework consisting of four different types of document; policies, standards, guidelines, and procedures. Security policies are the bedrock documents that provide the foundation for an organization's information security program. They are often developed over a long period of time and are very carefully written to describe an organization's security expectations. Compliance with policies is mandatory and…
