Presented is an automated policy-provisioning method for a computing system having a service-oriented architecture. The system comprises at least one managed service and at least one policy enforcement point operable to enforce a runtime policy for the service. The method comprises: receiving in machine-readable form at least one semantic rule defining a condition imposed by a business policy; receiving machine-readable data describing a runtime policy enforcement capability of the at least one policy enforcement point; determining based on the at least one rule and the capability whether the at least one policy enforcement point can meet the condition; based on the determination, deriving a runtime policy suitable for enforcing the condition; and communicating the runtime policy to the at least one policy enforcement point.