Learn Different Types of Policies and Procedures in CISSP


An organization should define its security plan. Security follows a top-down approach. In other words, the security strategy and scope are discussed, defined, and approved at the top level (top management). After being approved, they are propagated to the middle management, then to the team leaders, and finally to the executives to follow. The mentioned plan and scope must be documented in a set of formalized documents that act as the security bible of the organization. Policies and Procedures will be the subject of today’s article. Have a nice reading.

Types of Security Documentation

The security documents could be:

  • Policies.
  • Standards.
  • Baselines.
  • Guidelines.
  • Procedures.

In the following sections, we are going to discuss each type of documents.

The Security Policy
The security policy is a high-level document that defines the organization’s vision concerning security, goals, needs, scope, and responsibilities.

Three main types of policies exist:

  • Organizational (or Master) Policy.
  • System-specific Policy.
  • Issue-specific Policy.

The master security policy can be thought of as a blueprint for the whole organization’s security program. It is the strategic plan for implementing security in the organization.

A System-specific policy is concerned with a specific or individual computer system. It is meant to present the approved software, hardware, and hardening methods for that specific system.

An Issue-specific policy is concerned with a certain functional aspect that may require more attention. For this reason, a separate policy is prepared for that issue to explain with details the required level of security, and the instructions that all staff in the organization must abide by to achieve this level. Examples for this type of policy are:

  • Change Management Policy.
  • Physical Security Policy.
  • Email Policy.
  • Encryption Policy.
  • Vulnerability Management Policy.
  • Media Disposal Policy.
  • Data Retention Policy.
  • Acceptable Use Policy.
  • Access Control Policy.

Once the master policy, the issue-specific policies, and system-specific policies are approved and published, another set of document could be prepared in the light of these high-level policies.

Security Standards
Standards define the obligatory rules, instructions, and/or actions required to realize the goals and objectives set by the top management in the security policies.

A baseline specifies the minimum level of security required. All systems in the organization must comply with that minimum. To determine which systems meet the baseline and which don’t, an evaluation must be done on a regular basis, and when major changes are done. Such evaluation could be done either by the organization’s security team or outsourced to a third-party consultant.

Guidelines are practical instructions and recommendations targeting all levels of staff in the organization. These instructions are considered as operational guides on how to apply and enforce the standards and baselines. Guidelines are flexible and not obligatory.

Procedures are the lowest level in the organization’s security documentation structure.
While a security policy is a high-level document containing general directives, a procedure is a very detailed document that illustrates in step-by-step instructions on how a specific task is done.

Now, let’s assemble all the pieces together to see the complete picture:

  • The security policy dictates in general words that the organization must maintain a malware-free computer system environment.
  • A standard states in strict words that every computer in the organization’s network must have an antivirus installed and updated with the latest virus definitions.
  • A baseline sets the threshold below which a computer will be considered insecure, and above which it will be considered as secure. The baseline could be for example a computer fully-patched, with antivirus installed, having virus definitions not older than 7 days from the latest published definitions from the vendor.
  • Guidelines could be instructions like:
  1. When you receive an email from an untrusted or unknown sender, don’t open any attachments in the mail.
  2. Use of USB flash memories, hard disks, CD-ROM is prohibited in the organization’s computers.
  3. Don’t attempt to disable or hinder the antivirus operation.
  • Procedures could be the antivirus installation and configuration steps on network hosts.

Have you seen the complete picture now? Great!


  • A security policy is a high-level document that dictates the top management’s security vision, objectives, scope, and responsibilities.
  • A standard is a set of obligatory rules that support the security policy.
  • A security baseline is a threshold that all the systems in the organization must comply with.
  • A guideline is a set of flexible recommendations and best practices.
  • A procedure is a detailed, step-by-step document that illustrates how to make a specific task.

In the next article, we will knock a new domain in our journey with the CISSP study: Access Control.

I hope you enjoy studying CISSP with us.

Read More: Learn Different types of Security Controls in CISSP



Please enter your comment!
Please enter your name here