Estimated time: 15 min


Before starting activities that seek to generate documents containing security policies and directives, it is very important that the participants understand what they are and what they are for, reducing errors, improving the flow of activities and involving the participants better. The idea behind this is to introduce the concepts of security policies and directives.

Unlike other activities in this manual, the present is more of an expository nature and less interactive. To the extent that the facilitator feels comfortable, it is recommended to design an activity that manages to introduce the concepts.



  • Team knowledge of the concepts of security policies and directives.

Previous planning

  • In the event of requiring some audiovisual material such as presentations, videos or papers with the concepts addressed and/or examples.


  1. Expose the concept of security policy to the group:

    Security policy: It is a formal document that collects the security strategies that an organization takes in specific areas of its operations, providing an overview of the organization’s security status, the objectives it pursues in terms of security and criteria to determine possible exceptions to the policy or actions to be taken in situations beyond the current scope of the document

    This concept can be proposed as the union of several ideas:

    • It is a written document.
    • Describes security objectives and strategies.
    • It must cover as many cases as possible in the areas that define it.

    In addition to these considerations, the security policies should be aligned with the mission and vision of the organization, in order to be designed so that they can be applied for long periods of time without requiring any major changes. It is normal for policy reviews to be made only when some of these conditions are met:

    • A long period of time has passed since your last review. Normally in the order of the years (e.g., between every 3 and 5 years).
    • There was a security incident which clearly showed that the policy is not effective in a certain scenario and must be reformulated to better face future risks.
    • There was a significant change in the mission and vision of the organization and the policy should be refreshed to adapt to the change in operations.

    Security policies must be respected by all members of the organization, for this reason, it is important that those in charge of management and operations are involved in the process, approve these policies and help their compliance during daily basis operations.

  2. Expose the concept of the security directive to the group:

    Security Directive: Set of specific rules carried out by the work team and its relevant allies to implement security policies in daily work. These directives can be more specific in the use of specific tools and equipment and can change over time more frequently.

    This concept can be proposed as the union of several ideas:

    • They are specific rules.
    • Its mission is to help compliance with the policies.
    • They relate to the day-to-day processes.

    Since security directives are quite more dependent on common technologies and practices, they are designed to be revised and changed much more frequently than policies, as a general guide it is suggested to review the directives when any of these conditions are met:

    • An amount of time has passed and now some security practices could be questioned or improved thanks to discoveries or updates. Take for example, when a critical vulnerability is discovered in a tool or when a new product emerges improving the conditions of the organization’s processes so is desirable to be implemented. Normally these times are measured in months (e.g., between every 3 to 12 months).
    • There were changes related to security policies, including ones as a result of security incidents that affect the policy in question.

    In general, the security policies own a clear instructional language, specifying specific actions to take in certain scenarios, take for example:

    • X piece of information is transmitted through these channels: …
    • It is not allowed to use the Y device to store highly sensitive information.
    • Z piece of information can be transmitted by the W channel under the following conditions: …

    Remarkable differences between security policies and directives are:

    • Its scope: the policies are general and the directives are specific.
    • Its dependence: security policies are a part of security policies.
    • Its evolution over time: generally security policies change in the order of the years, the security directives in the order of the months.

    In many of the information security reference frameworks, the concept of security policy is represented under other documents or names and may generate confusion when consulting other types of literature. In this case, the most important thing to adapt this concept is to understand that it is about clear instructions to execute a determined action complying with the security policies, in this manual the concept of a directive is abstracted to build a model that is fast understanding and facilitation for the target groups.

Closure of the activity

In this training activity the concepts of security policy and directive were explored in a rigorous manner, which will allow us to progress effectively in the following activities.