A security policy consists of three important components:

The following is an overview of each of the three components of a security policy:

• Governing policy: The governing policy talks about the concept and importance of the security information at a very high level and defines the stance of the organization on security policies. Governing policies are also created in alignment with other company policies, so they support most components of the security policy. The governing policy is mostly read and signed by the management users and it is also agreed to by the end users.
• Technical policy:  These policies are used in most technical aspects of an IT environment and also cover some of the aspects and topics within the governing policy. Examples of technical policies are policies created for the use of an operating system, application, network, and handheld devices, such as mobiles, PDAs, and tablets.
• Guidelines and job aids: Guidelines and job aids are the documentation that offers a step-by-step outline to implement a specific security policy, depending on the analysis. Job aids act as a backup when a user or member of IT leaves the company and none of the intellectual properties are maintained safely. Thus guidelines and job aids help the organization maintain security. An example is a document that explains how to install a software application on an end user machine.