LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What types of security policies exist and why are multiple types needed?

Security policies exist at multiple levels — from high-level strategic policy down to detailed technical standards and procedures — because different audiences need different levels of detail.

Three-tier policy pyramid: strategic, tactical, operational.

* Security-policy hierarchy — strategic IS policy (board), tactical topic policies (managers), operational standards (staff). *

The policy hierarchy:

Level Document Type Audience Content
Strategic Information Security Policy Board, executives Vision, principles, commitment, scope
Tactical Topic-specific policies / concepts Managers, security team Access control policy, data classification, incident response
Operational Standards and procedures IT staff, all employees Password requirements, backup procedures, hardening guides

Why multiple levels are needed:

  • Executives need high-level direction, not technical details
  • Managers need domain-specific guidance to implement in their area
  • Technical staff need concrete, actionable instructions
  • All employees need clear, simple rules they can follow daily

Dependencies on higher-level documents: Security policies must align with and be derived from:

  • Corporate governance and business strategy
  • Legal and regulatory requirements (e.g., data protection laws, industry regulations)
  • Contractual obligations

Tip: A common mistake is having only a high-level policy with no supporting procedures — or having detailed procedures with no strategic policy to justify them. You need the full pyramid.

Go deeper:

From Quiz: ISM / ISM Intro & Repetition | Updated: Jul 14, 2026