A security policy is a short document containing a series of statements about all the organization's security aspects, set at a high level where it should not be changed very often. It should not be longer than a couple of pages in order to maintain the interest of the audience and improve readability. It should be easy to understand for people who have no knowledge of ICT. Below that you have a set of security baseline standards and procedures, that explain in more detail how the policy should be interpreted. It is a larger document that can change as time goes on, although not dramatically as it does not necessarily handle implementation details. A set of guidelines, to some extent technology based, will deal with implementation and so this document is adapted as technology changes.
There is an interaction between writing a policy and doing a risk assessment. The fact that a basic policy exists can demonstrate the concern of the top management for security issues. Once this concern has been expressed, further risk analysis can result in the policy being reviewed and other more detailed documents being composed.
The security policy contains general statements relating to:
Once the necessary documents have been drawn up and published, the next step is to make sure everybody throughout the company knows about the security policy. Letting the line managers sign self certifications saying that they implemented the policy implies an acknowledgement of responsibility. Security in this perspective is much like quality management: it is everybody's business.