Security policies are the foundation basics of a sound and effective implementation of security. Organizations usually implement technical security solutions without first creating this foundation of policies, standards, guidelines, and procedures. Thus, unintentionally creating unfocused and ineffective security controls. To avoid this, security policies are required.

Now the question is what are security policies? 

Security policy is an overall general statement produced by senior management, a selected policy board, or committee of an organization that dictates what role security plays within that organization. There are certain factors that security policies should follow, namely:

  • Very generic, non-technical and easily understood
  • Provides “missions statement for security”
  • Should represent business objectives
  • Developed to integrate security into ALL business functions and processes
  • Reviewed and modified as company changes
  • Dated and version controlled
  • Forward thinking

There are different types of security policies, namely:

  • Regulatory
  • Advisory
  • Informative

Regulatory: Regulatory policy ensures that the organization is following standards set by specific industry regulations. These policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies can be financial institutions, public utilities, or some other type of organization that operates in the public interest.

Advisory: Advisory policy strongly advises employees on the behaviors and activities which should and should not take place within the organization. These policies are not mandatary but are strongly suggested, perhaps with serious consequences defined. Failure to follow them will result in consequences such as termination, or a job action warning. A company with such policies wants most employees to consider these policies mandatory.

Informative: Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience of this information could be internal i.e. within the organization or external parties.

These are the various types of security policies. To know more, you can explore our training course on Certified Information Systems Security Professional. Simplilearn offers extensive CISSP classroom training from expert tutors.

About the Author


Chandana is working as a Senior Content Writer in and handles variety of creative writing jobs. She has done M.A. in English Literature from Gauhati University. A PRINCE2 Foundation certified, she has a unique and refreshing style of writing which can engross the readers to devour each sentence of her write-ups.

View More
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.