An information security policy does NOT usually include

Policy is written at a very high level and is intended to describe the “whats” of information security. Procedures, standards, baselines, and guidelines are the “hows” for implementation of the policy.