A policy hierarchy organises ISMS documentation into layers that build on one another. At the top sits the information-security policy, which defines principles and responsibilities. Below it are topic-specific policies (e.g. access control, cryptography). The lowest layer contains operational procedures and checklists. Each layer refines the one above. This ensures consistency and prevents contradictions between documents. During an audit the auditor checks whether the hierarchy is complete and whether operational instructions genuinely derive from the higher-level policies.