| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 1.6 - Security Policy, Standards, Procedures, & Guidelines
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series builds the paperwork backbone of a security program, continuing Domain 1. It explains why security gets formalized into a hierarchy of documents, what each layer of that hierarchy does, and how the layers work together to turn good intentions into consistent, enforceable practice.
What this episode covers
- Why formalize into a hierarchy — a layered document structure lowers the chance of a security failure.
- Security policy — the compulsory top layer defining scope, roles, audit requirements, and acceptable risk.
- Three policy types — organizational for the whole enterprise, issue-specific for one service, system-specific for one system.
- Standards and baselines — compulsory uniform requirements, with baselines as the minimum secure floor.
- Guidelines — flexible, non-compulsory recommendations you tailor to each system or situation.
- Procedures — step-by-step how-to documents (SOPs) delivering consistent, repeatable results.
- Keeping documents separate — limits exposure and lets you update only the affected piece.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is a security policy, and what types exist?
A security policy sits at the top of the hierarchy. It defines the scope of security you need, names the assets that require protection, assigns responsibilities and roles, sets audit and compliance requirements, and declares acceptable risk. Policies are compulsory and serve as proof that leadership exercised due diligence. They come in three flavors: an organizational policy spans the whole enterprise, an issue-specific policy targets one service or function, and a system-specific policy governs a particular system.
What are standards and baselines?
A standard defines compulsory requirements for the uniform use of hardware, software, technology, and controls, so everyone implements things the same way. A baseline is a more operationally focused form of standard that sets the minimum level of security every system must meet. Anything falling below the baseline should be pulled from production until it is brought back up — the baseline is the common secure floor on which you stack stronger measures.
What are guidelines, and how do they differ?
Guidelines are the flexible layer, offering recommendations on how standards and baselines get implemented. The key difference is that guidelines are not compulsory — they suggest actions and methodologies rather than mandating a specific product or exact configuration. Because they bend, you can tailor them to each unique system or situation, and they help shape new procedures.
What are procedures?
Procedures are the most detailed layer, at the bottom of the structure. A procedure, also called a standard operating procedure, is a step-by-step how-to document describing the exact actions needed to implement a specific control or solution. Because systems evolve, procedures must be updated as hardware and software change — their whole purpose is consistent, repeatable results through standardization.
Why keep all these documents separate?
Because separation makes them easier to manage and safer to share. Not everyone needs to see every standard, baseline, guideline, and procedure for every classification level, so splitting them limits exposure. And when something changes, you update and redistribute only the affected piece, instead of reissuing one giant monolithic document to the whole organization.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 1.6 - Security Policy, Standards, Procedures, & Guidelines.