# Security Policy Types Backlink: [[Domain 1 - Index]] **Definition:** Policies set high-level security intentions and direction; they cascade into standards, guidelines, and procedures. ## Key Facts - Enterprise information security policy (EISP): top-level, board-approved. - Issue-specific policies: e.g., acceptable use, mobile, email, cloud. - System-specific policies: tailored to platforms or applications. - Policies are mandatory; violations trigger enforcement/discipline. - Keep concise, tech-agnostic; standards hold specifics. - Version control and exception management required. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Identify where a requirement belongs (policy vs. standard vs. procedure) - Governance authority and approval responsibility >[!note] **Mnemonic** - “Policy says what, Standard says how much, Procedure says how.” ### Example Q: Where do password complexity numbers belong? A: Standard (not policy). ## Revision Checklist - [ ] Differentiate EISP, issue-specific, system-specific - [ ] Map examples to correct document type - [ ] Recall approval authority - [ ] Know update/review expectations ## Related [[Standards, Guidelines, and Procedures]] · [[Security Governance]] · [[Policy Exception and Exception Management]] · [[Control Frameworks (ISO/IEC 27001, NIST, COBIT)]] · [[Security Awareness and Training]] #cisSP #domain-1 #concept