Layered Security Policy
A layered approach defines three levels of security policies. The top layer is a high-level document containing the controller’s policy statement. The next layer is a more detailed document that sets out the controls that will be implemented to achieve the policy statements. The third layer is the most detailed and contains the operating procedures, which explain how the policy statements will be achieved in practice.
Reference(s) in IAPP Certification Textbooks: E152-153