One of the most common reasons CISSP candidates lose marks is confusing documents that sound similar but serve very different purposes.
Policies, standards, guidelines, and procedures are often spoken about together—but in CISSP, each one has a clear role, authority level, and intent.
This blog breaks them down in simple, real‑world terms, exactly the way CISSP expects you to reason during the exam.
Why This Topic Matters in CISSP
CISSP questions rarely ask you to define documents.
Instead, they test whether you can:
- Identify governance vs execution
- Choose the right document at the right level
- Understand mandatory vs recommended controls
Most mistakes happen when candidates pick a procedure where CISSP expects a policy, or miss guidelines entirely.
The Office Reality Analogy
Imagine an organisation trying to improve security.
Four different questions are asked:
- What does the organisation expect everyone to follow?
- What rules must systems comply with?
- What recommended practices should people follow?
- How exactly is the work performed?
Each question maps directly to a different document:
- Policy
- Standard
- Guideline
- Procedure
Understanding this mapping is the key to answering CISSP questions correctly.
Policy: What and Why
A policy is a high‑level statement of intent.
It answers:
- What is important?
- Why does it matter?
- What does management expect?
Examples
- Information Security Policy
- Acceptable Use Policy
Key Characteristics
- Approved by senior management
- Business‑driven
- Mandatory
- High‑level
CISSP Mindset
Policy sets direction, not steps.
If a CISSP question talks about governance, expectations, or organisational rules, policy is usually the answer.
Standard: The Mandatory Rules
A standard supports a policy by defining mandatory requirements.
Standards specify:
- Minimum requirements
- Approved configurations
- Consistent controls across the organisation
Examples
- Passwords must be at least 14 characters
- Approved encryption algorithms
- Secure configuration baselines
Key Characteristics
- Mandatory
- Specific
- Organisation‑wide
CISSP Mindset
Standards ensure consistency and compliance.
If a question includes words like must, required, or minimum, think standard.
Guideline: Recommended Practices
Guidelines are recommendations, not rules.
They exist to provide direction when flexibility is required.
Guidelines:
- Suggest best practices
- Allow professional judgment
- Are not mandatory
Examples
- Passwords should avoid dictionary words
- Developers should follow secure coding best practices
- Administrators should review logs regularly
CISSP Mindset
Guidelines support decision‑making when strict rules don’t fit.
If a CISSP question mentions recommended, suggested, best practice, or optional, the answer is usually guideline.
Procedure: How to Do It
A procedure explains step‑by‑step how a task is performed.
Procedures answer:
- How is something done?
- Who does it?
- In what order?
Examples
- User onboarding steps
- Incident response steps
- Backup execution steps
Key Characteristics
- Very detailed
- Task‑specific
- Operational
CISSP Mindset
Procedures guide day‑to‑day execution, not governance.
The Hierarchy CISSP Cares About
CISSP expects you to understand this order clearly:
Policy → Standard → Guideline → Procedure
- Policy sets direction
- Standards define mandatory rules
- Guidelines provide flexible recommendations
- Procedures explain execution
If a CISSP question asks what should be created first, the answer is almost always policy.
How This Appears in CISSP Questions
CISSP questions typically describe a scenario and ask:
- What should management establish?
- What document provides guidance without enforcement?
- What ensures consistent implementation?
Exam Technique
- Identify the level (governance or operations)
- Look for mandatory vs recommended language
- Choose the document that matches the intent
This approach removes ambiguity from many questions.
One‑Line Takeaway
Policy sets direction.
Standards enforce rules.
Guidelines recommend best practices.
Procedures explain steps.
🎧 Listen to the Podcast
This blog is part of the CISSP Blog & Podcast Series on PK’s Chronicles.
If you prefer audio learning, listen to the companion podcast episode where this topic is explained in a 10‑minute, concept‑first format.
Listen on Spotify: Search for “PK’s Chronicles ”
Each episode focuses on how CISSP wants you to think, not memorisation.
Pingback: CISSP Domain 1: Mastering Security and Risk Management – Blog and Podcast – TheCyberThrone