Security Policies, Standards, Procedures, and Guidelines: A CISSP Guide

  •   min.
  • Updated on: January 12, 2025

    • Expert review
    • Home
    • /
    • Resources
    • /
    • Security Policies, Standards, Procedures, and Guidelines: A CISSP Guide

    Security policies serve as the foundation of any robust cybersecurity program. Organization-wide rules and guidelines shape how businesses protect their assets, manage risks, and achieve their security objectives. For CISSP candidates and security professionals, mastering the interplay between policies, standards, procedures, and guidelines is essential.

    Think of these security documents as your organization's security blueprint. Each component plays a vital role—from high-level policies that direct security efforts to detailed procedures that guide daily operations. Together, they create a framework that turns security principles into practical, actionable steps.

    Let's explore these critical building blocks of organizational security and how they work together to protect assets and enable business objectives.

    What are Security Policies and Supporting Documents?

    Security policies are corporate laws that document and communicate management's goals and objectives for protecting organizational assets. These policies, along with their supporting documents, create a comprehensive framework for implementing and maintaining security throughout an organization.

    A top-down approach that incorporates a governance committee to help design policies is required. The committee, reporting to the Board of Directors and CEO, should develop an overarching security policy that aligns with organizational goals and objectives, covers the entire organization, and clearly articulates the goals and objectives of the security function.

    Policies are critical as they set the tone and help create the culture necessary for effective organizational security to exist. This policy must be communicated from the CEO, or even the Board of Directors, to be most effective and impactful.

    Image of Security Policies table - Destination Certification

    Let's take a close look at a model for creating and maintaining security policies in an organization shown above. This security document hierarchy demonstrates how policies flow down into specific functional policies, which are then supported and implemented through standards, procedures, baselines, and guidelines:

    • Standards: Specific hardware and software solutions
    • Procedures: Step-by-step instructions
    • Baselines: Defined minimal implementation levels
    • Guidelines: Recommendations or suggestions

    We will discuss each of these core components in detail in the succeeding sections.

    Looking for some CISSP exam prep guidance and mentoring?


    Learn about our CISSP personal mentoring

    Image of Lou Hablas mentor - Destination Certification

    Core Components of Security Documentation

    As we discussed in the previous section, security documentation follows a hierarchical structure, with each component playing a vital role in the organization's security framework. Understanding these components—from high-level policies to specific guidelines—is crucial for implementing effective security measures. Let's examine each component in detail to understand their unique purposes and how they work together.

    Policies: The Corporate Laws

    Policies are documents that communicate management's goals and objectives. They serve as corporate laws within an organization, providing authority to security activity and defining the elements, functions, and scope of the security team. Most importantly, policies must be approved and communicated throughout the organization.

    The overarching policy should be very simple. It needs to be communicated by the CEO and will clearly spell out how the CEO and organization is accountable for protecting all assets that represent value to the organization—that the CEO and upper management are ACCOUNTABLE, but also that EVERYONE in the organization is RESPONSIBLE for security and protecting the value of assets.

    If this is done properly, the security function is seen as an enabler and helper, as opposed to the traditional view of security as an obstacle—where the business goes to be told they can't do something.

    Standards: Specific Solutions

    Standards provide the technical details and specific solutions that support policy requirements. While policies define what needs to be done, standards specify how it should be done by identifying specific technologies, methodologies, or configurations that must be used. This ensures consistency and interoperability across the organization. Examples include:

    • Specific anti-virus software, e.g., McAfee
    • Specific access control system, e.g., Forescout
    • Specific firewall system, e.g., Cisco ASA
    • Published guideline (e.g., ISO 27001) adopted by an organization as a standard

    Baselines: Minimum Security Levels

    Baselines establish the minimum security requirements that must be met for various systems and processes. They serve as a reference point for measuring security compliance and ensure a consistent security foundation across the organization. These minimum requirements help organizations maintain a basic level of security while allowing for additional controls where needed. Examples include:

    • Configurations for intrusion detection systems
    • Configurations for access control systems

    Guidelines: Flexible Recommendations

    Guidelines differ from other security documentation in that they provide flexible, advisory recommendations rather than mandatory requirements. They offer best practices and suggestions that organizations can adapt based on their specific needs and circumstances. This flexibility makes guidelines particularly useful when dealing with diverse systems or situations where a one-size-fits-all approach isn't practical.

    Examples include:

    • Government recommendations
    • Security configuration recommendations
    • Organizational guidelines
    • roduct/system evaluation criteria

    Note: Guidelines allow an organization to suggest something be done without making it a hard requirement and thus cause a negative audit finding.

    Implementation and Management

    The success of these security documents depends on each person performing their role well and supporting functional policies that make sense to the company. If the Board or CEO are unwilling to lead, failure from the top could follow. Similarly, if the supporting elements of functional security policies are not considered properly, implementation of security could fail. Thus, it's important that all facets of the model be carefully considered when developing and implementing it.

    Specific functional security policies will flow from the overarching policy. While policies don't need to be reviewed every year, standards, procedures, baselines, and guidelines may need to be updated frequently. Any combination of these elements will typically be put in place to support functional policies; together, the compendium of functional policies will be defined, supported, and informed by many standards, procedures, baselines, and guidelines.

    For example, an organization might have a policy, created and owned by the Security Governance Committee, mandating the use of anti-malware software. Functional policies would then need to be developed that dictate exactly how to enact that policy. Those functional policies might include:

    • A standard to specify the version of anti-malware software to use
    • A procedure to outline the steps to install it
    • A guideline to suggest ideal goals for anti-malware efforts, such as heuristics in anti-malware software where possible

    Each type of supporting document works together to ensure the policy is met.

    FAQs

    Who should write and own security policies?

    Security policies must come from upper management, establishing a clear "tone from the top." A governance committee, reporting to the Board of Directors and CEO, should develop the overarching security policy that aligns with organizational goals and objectives. This policy ownership at the highest level ensures proper authority and organizational-wide implementation.

    How often should security policies be reviewed?

    While the overarching policies don't need to be reviewed every year, the supporting documents—standards, procedures, baselines, and guidelines—may need more frequent updates. This flexible approach ensures that technical and operational details can be adapted to changing circumstances while maintaining consistent high-level security objectives.

    Strengthen Your Security Policy Knowledge with Destination Certification

    Understanding the interplay between policies, standards, procedures, and guidelines is fundamental to any security professional's role. As you prepare for the CISSP exam, you'll need to demonstrate not just knowledge of these components, but how they work together to create an effective security framework.

    At Destination Certification, we take complex security concepts and make them actionable. Our CISSP MasterClass breaks down security documentation into clear, practical components. We discuss these crucial elements of security infrastructure, preparing you not only for the CISSP exam but for real-world implementation in your security career.

    Whether you're preparing for the CISSP exam or looking to strengthen your security program, a proper understanding of security documentation is crucial. Join our CISSP MasterClass to build a solid foundation in these essential concepts and prepare for success in your security career.

    Image of Rob Witcher - Destination Certification

    Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.

    Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.

    The easiest way to get your CISSP Certification 


    Learn about our CISSP MasterClass

    Image of masterclass video - Destination Certification
    >