Policies are rules established by an organization that are designed to guide their employees. In an IT environment, policies are used to guide the decisions that relate to the management of the IT infrastructure. Policies can map to one or many control statements.
A policy with no control statements can indicate an unimportant policy or a policy where compliance cannot be monitored. A control statement with no policy may also indicate a gap showing noncompliance with one or more regulations.
The following tasks are typical of the life cycle of a policy: