Policy, Standards, Procedures, Guidelines

Candidates must be aware of the difference between policies, standards, procedures, and guidelines.

Guidelines – can guide policy and any of the following below, and contain recommendations and suggestions, but they are not required. Within the hierarchy, they can be above, between or at the side of the primary ladder presented here:

Policy – should have the following components:

• High level overview of security strategy or goals
• Contains data classifications (confidential, sensitive, etc.)
• Type of access management (whether role-based, etc.)
• Expected user behavior with the entity’s IT systems and data
• High level personnel security practices, such as background checks
• A common policy creation process is where it is written by subject matter experts (SMEs), shared with impacted parties for edits, and then approved by senior management

Guidelines – can guide standards as well, but they are not required.

Standard – should have the following elements:

• Can come from statutory/administrative law, professional organizations, or industry groups
• Describes settings, expectations of performance, configurations, specific requirements

Guidelines – can guide procedures as well.

Procedures – contain specific, repeatable steps; very task-oriented.  It’s essential that staff can locate and execute procedures (and they must be detailed enough to carry out the tasks).

Candidates also need to be aware of the breadth vs. depth concept.  This refers to a concept related to the scope of policy versus the detail of procedures, and the span of detail needed to go from one to the other.  As you can see above, ISC2’s new framework on this indicates that guidelines can literally fall anywhere in this hierarchy, including formation of policy, but the general hierarchy is still that policy has the most breadth, and procedures have the least (but have more depth) since they are more specific.