Policies should specify implementation in detail.

Policies establish high-level rules and objectives for security; they define what must be achieved, not how to achieve it. The detailed steps, controls, and configurations that implement those rules belong in procedures and standards, which can be updated as technology and environments change. Keeping implementation details out of policy preserves flexibility, allows tailoring to different systems, and ensures governance can adapt without rewriting the policy. For example, a policy might state that data must be encrypted, but the specific algorithm, key length, and key management practices are defined in a standard or procedure. If policies tried to specify implementation in detail, they would become rigid, harder to maintain, and less portable across diverse environments. Outsourcing concerns who performs the tasks, not the level of detail in the policy, and stating that implementation is required or not is separate from whether the policy should describe the exact steps.