# Security Policy Hierarchy One-sentence definition: Structured documentation stack—policies → standards → procedures → guidelines—defining “what,” “how,” and “by whom.” ## Key Facts - Policy: high-level intent and mandatory requirements approved by leadership. - Standards: specific, measurable controls (e.g., password length ≥ 14). - Procedures: step-by-step tasks; operational, role-specific. - Guidelines: recommended practices; not mandatory. - Traceability: link policies to risks, laws, frameworks (ISO/NIST). - Versioning and governance ensure currency and compliance. - **Labels:** **Mandatory** (policy/standard) vs advisory (guideline). - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Distinguish documents and choose the correct artifact for a scenario. **Mnemonic:** “PSPG” → Policy, Standard, Procedure, Guideline. ## Mini Scenario Q: Users share accounts despite a policy; what to create to enforce rules? A: A standard (e.g., unique IDs) and procedures for provisioning/auditing. ## Revision Checklist - Define each layer; give one example. - Identify which are mandatory vs advisory. - Map a control to policy/standard. ## Related [[Security Governance]] · [[Compliance and Regulatory Concepts]] · [[Security Roles and Responsibilities]] · [[Acceptable Use Policy (AUP)]] · [[Control Types and Categories]] · [[Domain 1 - Index]]