Which item is not typically part of a security policy framework?

Audit trails are records of events and actions used for monitoring, investigation, and accountability. They are a control mechanism that supports enforcement and evidence collection, not a defining element of the policy framework itself. A security policy framework focuses on what must be done and by whom: policy statements express required principles, scope defines where the policy applies, standards specify concrete, measurable requirements, and the procedures and guidelines describe how to implement those standards. While audit trails are essential for governance and compliance, they sit outside the framework’s structure as tools used to verify and enforce the policy rather than as foundational policy components.