Which statement best describes the relationship between policies and operations?

Policies set the rules and expectations that guide how work is done and how it’s checked. When a policy specifies what must be protected and how, it directly shapes implementation—the day-to-day controls, procedures, and configurations teams put in place to meet those rules. At the same time, it drives oversight—how compliance is measured, audited, and enforced to ensure the rules are followed. In short, a solid policy creates the blueprint for both executing security measures and verifying that they’re effective, so it’s most accurate to say policies drive both implementation and oversight. For example, a data protection policy will lead to encryption and access controls being implemented, and to regular reviews and audits confirming those protections remain in place.