A security policy is a high-level document that outlines an organization's approach to protecting its assets, including data, systems, and personnel. It establishes the framework for security controls and procedures, defining roles, responsibilities, and expected behavior. While security policies may include specific guidelines and procedures, their primary purpose is to provide overarching guidance and direction for the organization's security posture. Incident response plans, access control lists, and encryption standards are examples of more specific security controls that are typically guided by the security policy but are not the primary purpose of the policy itself.