About the policy life cycle

Policies are rules established by an organization that are designed to guide their employees. In an IT environment, policies are used to guide the decisions that relate to the management of the IT infrastructure. Policies have an arbitrary hierarchy and may map to one or many control statements.

A policy with no control statements can indicate an unimportant policy or a policy where compliance cannot be monitored. A control statement with no policy can indicate a gap showing noncompliance with one or more regulations.

The following tasks are typical of the life cycle of a policy:

Create a new policy.

See Creating a new policy.
Review the policy.

See Reviewing a policy.
Publish the policy.

See Publishing a policy.
Accept or decline the policy.

See Accepting or declining a policy.
Manage clarifications.

See Managing clarification requests.