View our 2018 and 2019 listing of information security (infosec) / cyber security training courses, events and conferences from around the world that are associated with (Information Security) Policies and Procedures.
A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and is implemented as a procedure or protocol. Policies are generally adopted by a governance body within an organization.
Information security policies are high-level plans that describe the goals of the procedures. Policies are not guidelines or standards, nor are they procedures or controls. Policies describe security in general terms, not specifics. They provide the blueprints for an overall security program just as a specification defines your next product.
Questions always arise when people are told that procedures are not part of policies. Procedures are implementation details; a policy is a statement of the goals to be achieved by procedures. General terms are used to describe security policies so that the policy does not get in the way of the implementation.