A policy is just that: a general guidance.

When you need to detail it out into specific rules and regulations, dos and donts, then you need to implement a Standard Operating Procedure (SOP) that falls within the policy terms.

A policy, by itself, is a template. There are unique environments that requires a greater degree of policy flexibility or a more rigid list of limitations. In corporate ICT security policies, for example, there are strict limitations on what files can be shared by and between users within the company's environment and there are limitations on what can be accessed by an employee in the Internet (particularly if there are potential exploits anticipated by the interchange of communications that would be detrimental to corporate security itself.

In military environments, the readily accessible documents or data are classified as "Approved for Public Release" and all others classified as Restricted, Confidential and higher are accessible only to organic (i.e., military members with appropriate clearances) personnel.

A policy defines the parameters or the outer limits that can be applied to any ICT security process. When you codify rules that institute punitive and precautionary procedures and processes, then you're talking of rules and regulations or SOP or manuals of procedures.