Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
1.6 Domain 1 · Security & Risk Management

Security Policy Framework

Develop, document, and implement security policy, standards, procedures, and guidelines

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

Security documentation follows a strict top-down hierarchy. Business objectives drive everything, and the chain flows in one direction: never bottom-up.

Policies — mandatory, management-approved, technology-agnostic (“what”)
Standards — mandatory, measurable, specific (“how much”)
Procedures — mandatory, step-by-step instructions (“how”)
Guidelines — optional, recommendations (“consider this”)
Baselines — minimum configuration requirements (“at least this”)

The critical distinction: policies, standards, and procedures are mandatory. Guidelines are the only optional element. If the exam says “must follow guidelines” — that answer is probably wrong.

At a mature organization, the documentation hierarchy looks like this:

  • Policies — “All sensitive data must be encrypted.” Approved by senior management or the board. Technology-agnostic (doesn’t say AES or RSA). Reviewed annually. Provides the authority for everything below it.
  • Standards — “Encryption must use AES-256. Passwords must be at least 12 characters.” Specific and measurable. Derived from policy. Mandatory for all systems in scope.
  • Procedures — “Step 1: Open the admin console. Step 2: Navigate to encryption settings. Step 3: Select AES-256.” Detailed, step-by-step. Enables consistent execution by anyone following them.
  • Guidelines — “We recommend using a password manager to handle complex passwords.” Advisory only. Not enforceable. Provides best-practice recommendations.
  • Baselines — “All Windows servers must match the CIS Benchmark Level 1 configuration.” Minimum acceptable configuration for a specific platform or system type.

The key relationship: policies provide authority, standards provide specificity, procedures provide repeatability. Without policy, standards have no enforcement mechanism. Without standards, procedures have no measurable target.

LevelAuthoritySpecificityExampleMandatory?
Policy Senior management / Board High-level, technology-agnostic “All data must be encrypted” Yes
Standard Security management Specific, measurable “AES-256, 12-char passwords” Yes
Procedure Operations / IT Step-by-step instructions “Open console, select AES-256…” Yes
Guideline Advisory Recommendations “Consider using a password manager” No
Baseline IT / Security operations Minimum configuration “CIS Benchmark Level 1” Yes
Key Takeaway

If the exam says “must follow guidelines” — it’s probably wrong. Guidelines are the only optional level in the hierarchy. Everything else (policies, standards, procedures, baselines) is mandatory. This is one of the most frequently tested distinctions.

Document Explorer — See Real Examples
Click a topic above to see how the same subject looks at each documentation level

A new compliance auditor is reviewing the software development lifecycle. They find something unusual: the development team has incredibly detailed deployment procedures, but there’s no security policy requiring code review.

Scenario
Procedures Without Policy
Software company · 200 developers · SOC 2 audit
Auditor“I see detailed deployment procedures, but where’s the policy that mandates code review before production pushes?
Dev Lead“We’ve always done code reviews. It’s just how we work. We don’t need a policy — we have the procedures.
Auditor“What happens when a senior developer decides to skip the review because of a deadline? What authority do you have to enforce it?
CISO“That’s the gap. Procedures without policy have no enforcement authority. If a developer skips code review, we have no policy to point to. No policy = no violation = no consequences.”
Compensating Control

Procedures in a vacuum are just suggestions. Without a policy that says “all code must be reviewed before production deployment,” the procedures describing how to do code review are unenforceable. The hierarchy must be complete from top to bottom.

Real Talk — Career Context

In practice, many organizations have this exact gap. Teams develop good habits through culture, but those habits aren’t documented as policy. This works until someone new joins, a deadline creates pressure, or an auditor asks “show me the policy.” Culture is not a control.

On the exam: When a question describes a gap in the documentation hierarchy, the answer is always to fill the gap from the top down. Missing policy? Create policy first, not more procedures.

An employee violates a security guideline by using personal USB drives at work. Another employee violates a security standard by using passwords under 8 characters. Your manager asks you to apply the same disciplinary action to both.

Option A
Same disciplinary action for both

Treat all security violations equally to send a consistent message. Fairness requires equal treatment.

Option B
Different responses based on document type

Standard violation gets formal action. Guideline violation gets a reminder and education. They’re not the same.

Option B is correct — standards are mandatory, guidelines are not

Option B: Standards are mandatory. Violating a standard is a policy violation that warrants formal disciplinary action. Guidelines are optional recommendations — you cannot formally discipline someone for not following advice. The USB guideline violation should trigger education and a conversation about why the guideline exists, not punishment.

Option A’s kernel of truth: Consistency matters, and both behaviors carry risk. But “consistent” doesn’t mean “identical.” The response should be proportional to the obligation level. Disciplining someone for violating a guideline undermines the credibility of your entire framework.

On the exam: the distinction between mandatory (policy, standard, procedure) and optional (guideline) is tested constantly. If the answer treats guidelines as mandatory, it’s wrong.

“Procedures can exist without policies”
Technically yes, procedures can exist independently. But they have no enforcement authority. On the exam, when procedures exist without supporting policy, the correct answer is always to create the policy first. The hierarchy flows top-down: policy provides the mandate, standards provide the measure, procedures provide the method.
Why it’s tempting: In practice, teams often write procedures first because they’re the most immediately useful. But the exam tests the ideal framework.
“Guidelines are mandatory for everyone”
Guidelines are always optional. They provide recommendations and best practices, but compliance is not required. If an exam answer says employees “must follow” a guideline, that answer is wrong. The word “guideline” in the CISSP context specifically means “not mandatory.”
Why it’s tempting: In everyday English, “guidelines” sometimes implies rules. In CISSP terminology, it specifically means optional.
“Standards specify technology products”
Standards specify requirements (12-character passwords, AES-256 encryption), not products (LastPass, BitLocker). Specifying products locks the organization into vendor dependency. Standards should be measurable and verifiable without being tied to a specific vendor or tool.
Why it’s tempting: In practice, organizations often name specific products in their standards. But the exam tests the principle that standards are product-agnostic.
Exam Signal

When you see inconsistency across departments or missing enforcement: the answer is almost always “create a policy” or “create a standard.” The hierarchy is tested constantly. Remember: policy says “what” (mandatory), standards say “how much” (mandatory), procedures say “how” (mandatory), guidelines say “consider this” (optional). If the question describes inconsistent practices, the gap is at the standard or policy level — not the procedure level.

Quick Check — End of 1.6
A security manager discovers that different departments use inconsistent methods for data backup. What should be created FIRST?
  • A Backup procedures for each department
  • B An enterprise backup standard
  • C An information security policy addressing data protection
  • D Backup guidelines

Correct: C. Policy first, always. The information security policy provides the mandate (“data must be protected”), which then drives the creation of a backup standard (specific requirements like frequency and retention), which then drives department-specific procedures. Creating procedures (A) or standards (B) without policy gives them no enforcement authority. Guidelines (D) are optional and won’t solve inconsistency.

Related Topics
→ 1.5 Investigation Types (enforcement context) → 1.7 Business Continuity (BIA-driven policy)
← 1.5 Investigation Types ← Domain 1 Hub Next: 1.7 Business Continuity →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official ISC2 content, is not endorsed by ISC2, and does not guarantee exam success. All practice questions are original and based on published exam objectives. Always refer to the official ISC2 CISSP Exam Outline as your primary reference.