[14] Organizational Security Policy
By:
Prasanna
|
π Topic: Organizational Security Policy
Domain: D1 β Security and Risk Management
Tags: #cissp
π§Ύ Definition
An organizational security policy is a high-level document that defines the organizationβs security expectations, acceptable use, roles, and enforcement approach. It should be reviewed whenever the business changes materially.
π Key Points
- Policies set direction and define mandatory requirements.
- Standards and procedures translate policy into technical and operational controls.
- Policies should define roles, responsibilities, exceptions, and consequences of non-compliance.
- They provide the foundation for audits, risk management, and regulatory alignment.
β οΈ CISSP Insight
- A policy is only effective when it is approved, communicated, and enforced.
- Security governance depends on policy clarity and leadership support.
βοΈ Key Difference / Trap
- Policy vs Procedure vs Standard
- Policy = high-level requirement
- Standard = specific technical or operational expectation
- Procedure = step-by-step implementation guidance
- A written policy without enforcement is not enough
ποΈ Example
An organization publishes an Acceptable Use Policy that requires MFA for administrative access, prohibits unauthorized software, and defines monitoring and disciplinary actions.
π References
- NIST SP 800-12, Introduction to Information Security
- ISO/IEC 27001:2022, Annex A 5.1 and 5.2
- ISC2 CISSP CBK, Domain 1
π Quick Recall
- Policy = rule and expectation
- Standard = benchmark
- Procedure = how to do it