What is the purpose of a security policy?

The purpose of a security policy is to establish the rules, responsibilities, and controls that govern information security practices across an organization. It sets who is accountable for safeguarding assets, what behaviors are allowed or forbidden, and which safeguards—such as access controls, encryption, and incident response—must be in place. This creates a formal framework that guides daily decisions, ensures consistency in security activities, and supports compliance with laws and regulations. Because it defines overarching expectations and procedures for all users and systems, it helps foster sound governance, measurable security, and clear accountability. The other options miss the broader governance role and instead focus on procurement, marketing, or only physical access, which do not capture the ongoing framework for protecting information.