What is a security policy lifecycle?

• A. Create policies.
• B. Publish policies.
• C. Create, publish, implement, audit, revise, and retire policies as needed.
• D. Ignore the policy lifecycle.

Answer: (C)

A security policy lifecycle is the ongoing, structured process of managing policies from start to finish. It includes creating policies to address specific risks or requirements, publishing them so everyone knows the rules, implementing them through enforcement and training, auditing or monitoring to verify compliance and effectiveness, revising them in response to new threats, technology changes, or regulatory shifts, and retiring policies when they become obsolete or are replaced. This continuous loop keeps policies current, enforceable, and aligned with organizational goals. Merely creating or publishing a policy isn’t enough—policies must be implemented, checked, updated, and ultimately retired as needed to remain effective.