Information security policies are a special type of documented business rule that provide instructions for how the organization will protect information assets. Policies are high-level statements that provide guidance to workers who must make present and future decisions. For example, policies define not only what the organization will do today, but how it will respond in the future in case of an event such as a breach or environmental disaster.
Policies are mandatory and can be thought of as the equivalent of organization-specific law. Special approval is required when a worker wishes to take a course of action that is not in compliance with policy. Because compliance is required, policies use definitive words like “must not” or “you must.”