Classification of Security Policies

Rhodes-Ousley (2013) classifies security policies into three elementary categories namely: Regulatory policies, advisory policies and informative policies (p.111). Irrespective of the category, security policies can only be effective if they are short and easy to understand.

Regulatory policies

Regulatory policies are put in place to aid the assessment and compliance process. These policies are sequences or groups of lawful statements that dictate what should be done, who should do it and why it should be done (Tipton & Krause, 2007, p.485). Most strict rules and regulations that call for strict compliance among stakeholders are classified under this category.

Advisory policies

Advisory policies are regulations set to direct or counsel parties or individuals facing a specific situation. The policies target subjects of computer system policies, network policies, and security policies and provide them a step by step approach to follow in the course of certain situations. These policies help stakeholders interact with existing guidelines and policies since they are centered on best practices.

Informative policies

Informative policies are prescribed to a specific group of people or department. These policies are created to fill the gap that the regulatory and advisory policies might have left. Failure to adhere to informative policies does not subject one to punishment or penalty. Although these policies are not prescribed seriously, they may carry an important message or warning.


Rhodes-Ousley, M. (2013). Information Security: The Complete Reference (2nd ed.). New York, NY: McGraw-Hill.

Tipton, H. and Krause, M. (2007). Information Security Management Handbook ((ISC) 2 Press; 27). 6th ed. Broken Sound Parkway, NW: Auerbach Publications.

Related Questions:

Explain Computer Policies and Provide an Example of One

Explain the Different Security Positions Within Information Security

Explain What a Security Incident Response Team Handles