Continue development of the Comprehensive Security Management Plan by adding a section reviewing the security policy. Create a list of each section in the security policy. Some sections in the list are business security requirements that can be decomposed first to more refined requirements and later to detailed security policies in the Security Policy document. This decomposition should be included in the list. These detailed policies do not need to be written, but referenced or indicated as a policy that needs to be written. List each section of the security policy. Include decompositions of business security requirements into policies in this list. For example, a business security requirement for authenticated access might map to policies for log-in access and policies for file access.