# Standards, Guidelines, and Procedures Backlink: [[Domain 1 - Index]] **Definition:** Standards are mandatory specifications; guidelines are recommended practices; procedures are step-by-step instructions. ## Key Facts - Standards operationalize policy with measurable requirements. - Baselines: minimum acceptable configurations; can be standards. - Guidelines provide discretion; useful for diverse environments. - Procedures ensure consistent execution and auditability. - Exceptions must be documented, time-bound, and approved. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Place a control in the right document type - Understand when exceptions are appropriate >[!note] **Mnemonic** - “Set it, Guide it, Perform it.” ### Example Q: A SOC runbook is which type? A: Procedure. ## Revision Checklist - [ ] Define each document type - [ ] Give one example for each - [ ] Know approval and exception flows - [ ] Understand baseline vs. standard ## Related [[Security Policy Types]] · [[Policy Exception and Exception Management]] · [[Security Governance]] · [[Security Program Management (PDCA)]] · [[Security Awareness and Training]] #cisSP #domain-1 #concept