A(n) ________ is a statement of what should be done under specific circumstances.

Policies define management's expectations about what should be done under certain circumstances. They are high-level statements that express intent and guide decisions and behavior across the organization, specifying when actions are required and who is responsible. A procedure, by contrast, lays out the exact steps to take to carry out those actions, often in a detailed, sequential format. A policy guidance document provides recommendations for implementing or interpreting policies but isn’t the binding directive itself. An implementation control isn’t the term used for this concept in typical security practice. For example, a policy might state that all remote access requires multifactor authentication; a procedure would describe the specific steps to enroll and use MFA, and a policy guidance document would offer best-practice recommendations for implementing MFA.