Security Policy

Origin & evolution

The discipline of a formal, top-level security policy was codified by ISO/IEC 27001, the international standard for an Information Security Management System (ISMS). The standard requires top management to establish a documented information security policy that sets direction and is reviewed at planned intervals, with Annex A enumerating the controls an organisation selects to support it. The 2022 revision reorganised those controls into 93 entries across four themes🎨ThemeProduct SpecificationA strategic grouping of related featuresView reference →, which sharpened the line between the policy that states intent and the controls that realise it.

The American lineage runs through NIST. The NIST Cybersecurity Framework organises security around five functions, Identify, Protect, Detect, Respond, and Recover, and unlike ISO 27001 it offers no certification🏵️CertificationCustomer EducationA certification programView reference →; it guides rather than certifies. Many organisations now run both, using the framework to gauge maturity and the standard to formalise and certify the management system (OneTrust).

Practice has converged on a layered document set: a short governing policy, supporting standards that fix specific parameters such as minimum key lengths, and procedures that say how to carry the work out. The policy changes rarely. The standards and procedures beneath it move as technology does.

How it works in practice

A fintech preparing for certification writes a policy clause: "All access to systems holding customer financial data must be role-based, multi-factor, and logged." That single sentence cascades. It mandates an access control that enforces least privilege, an MFA control on every relevant login, and an audit logging control that records each access event. When the certification auditor arrives, they read the policy first, then ask for evidence🔎EvidenceValidationData supporting or refuting a hypothesisView reference → that each mandated control operated. A clause with no enforcing control becomes a finding. A control with no policy behind it has no authority and can be switched off by anyone with a reason. The policy is what makes the controls non-negotiable.

Security policy vs. its neighbours

• Security control🎚️Security ControlSecurityA security control or mitigationView reference → is the enforcing mechanism: the firewall rule, the encryption setting, the review gate🚥Review GateWorkflows & AgentsA human review checkpoint in a workflowView reference →. The policy mandates controls and decides which ones are in scope. The policy declares the rule; the control makes it true.
• Access policy🔑Access PolicySecurityAn access control policyView reference → is a specific kind of rule about who may reach what, under which conditions. It is narrower in scope than the overarching security policy and is usually defined by it, covering one domain (authorisation) rather than the whole programme.
• Compliance framework🏟️Compliance FrameworkComplianceA compliance framework (SOC 2, GDPR, etc.)View reference → is external: SOC 2, ISO 27001, HIPAA. The framework supplies the bar an auditor measures against; the security policy is the organisation's own answer to that bar, written in its own voice and binding on its own people.

In the graph

In the Unified Product Graph, a security policy lives in the security region as the source of governance. The product connects to it through product_governed_by_security_policyProductgoverned bySecurity Policyhierarchy, which makes the rule set an explicit, queryable property of the product rather than a PDF in a drawer. From there the policy radiates control: security_policy_mandates_security_controlSecurity PolicymandatesSecurity Controlhierarchy ties each clause to the mechanism that enforces it, and security_policy_defines_access_policySecurity PolicydefinesAccess Policyhierarchy carves out the access rules it owns. That structure encodes the central distinction: policy mandates, controls enforce. A mandated control with no enforcing node, or a policy clause connected to nothing, shows up as a gap the graph can name.