6.1.1. Policies, Standards, and Procedures

💡 First Principle: The governance hierarchy flows from broad intent to specific instructions. Policies set direction, standards define measurable requirements, procedures provide step-by-step instructions, and guidelines offer recommendations. Each level adds specificity.

Acceptable Use Policy (AUP) — defines what employees may and may not do with organizational IT resources. Covers internet use, email, personal devices, social media, and data handling. Signed acknowledgment creates accountability.

Information security policies — high-level documents establishing the organization's security posture: data classification policy, access control policy, incident response policy, remote work policy. Policies state what must be done without prescribing how.

Business continuity policy — establishes requirements for maintaining operations during disruptions. Ties to RTO/RPO requirements from Phase 4.

Disaster recovery policy — defines how the organization will restore operations after a catastrophic event. Specifies site types, backup requirements, and recovery testing schedules.

Incident response policy — establishes the IR framework, team composition, escalation paths, and communication requirements covered in Phase 5.

Change management policy — formalizes the change management process from Phase 2: approval requirements, testing mandates, documentation standards.

Standards — mandatory, specific requirements. "All passwords must be at least 12 characters" is a standard. "Encryption must use AES-256" is a standard. Standards are measurable and auditable.

Procedures — step-by-step instructions for performing specific tasks. "To onboard a new employee, complete these 14 steps in this order." Procedures ensure consistency regardless of who performs the task.

Guidelines — recommendations that are not mandatory. "We recommend using a password manager." Guidelines provide best-practice advice without enforcement.

Key policy types tested on the exam: Acceptable Use Policy (AUP — what users can and cannot do with organizational resources), Information Security Policy (overall security program direction), Business Continuity Policy (maintaining operations during disruptions), Incident Response Policy (how to detect, report, and respond to security incidents), and Change Management Policy (how changes are proposed, reviewed, and implemented).

⚠️ Exam Trap: Policies are mandatory and broad. Guidelines are optional and advisory. Standards are mandatory and specific. If a question asks which document MUST be followed, it's a policy or standard. If it asks which document provides recommendations, it's a guideline.