Quiz Entry - updated: 2026.07.14
What types of security policies exist and why are multiple types needed?
Security policies exist at multiple levels — from high-level strategic policy down to detailed technical standards and procedures — because different audiences need different levels of detail.
* Security-policy hierarchy — strategic IS policy (board), tactical topic policies (managers), operational standards (staff). *
The policy hierarchy:
| Level | Document Type | Audience | Content |
|---|---|---|---|
| Strategic | Information Security Policy | Board, executives | Vision, principles, commitment, scope |
| Tactical | Topic-specific policies / concepts | Managers, security team | Access control policy, data classification, incident response |
| Operational | Standards and procedures | IT staff, all employees | Password requirements, backup procedures, hardening guides |
Why multiple levels are needed:
- Executives need high-level direction, not technical details
- Managers need domain-specific guidance to implement in their area
- Technical staff need concrete, actionable instructions
- All employees need clear, simple rules they can follow daily
Dependencies on higher-level documents: Security policies must align with and be derived from:
- Corporate governance and business strategy
- Legal and regulatory requirements (e.g., data protection laws, industry regulations)
- Contractual obligations
Tip: A common mistake is having only a high-level policy with no supporting procedures — or having detailed procedures with no strategic policy to justify them. You need the full pyramid.
Go deeper:
Security policy (Wikipedia EN) — what a security policy defines and how strategic, tactical, and operational levels relate.