Distinguish a policy, a standard, a procedure, and a guideline. Which are mandatory?
Short answer
A policy is the high-level mandatory statement of management intent; a standard is a mandatory specific rule that enforces policy (e.g. AES-256); a procedure is the mandatory step-by-step how-to; a guideline is an optional recommendation. Policies, standards, and procedures are mandatory, while guidelines are discretionary.
This is a classic CISSP definitions question, and interviewers use it to check whether you can talk to executives and auditors precisely. Mixing these terms up signals weak governance fundamentals.
The governance hierarchy
Think of these documents as a pyramid flowing from intent to execution:
- Policy — the top-level, broad statement of management's intent and direction. It says what and why, is approved by senior leadership, and deliberately avoids specific technologies so it stays stable over years. Mandatory.
- Standard — a specific, mandatory rule that operationalizes a policy. "All data at rest must be encrypted with AES-256" is a standard enforcing an encryption policy. Mandatory.
- Baseline — a minimum acceptable configuration level (e.g. a hardened OS build) that standards reference.
- Procedure — the detailed, step-by-step how-to that personnel must follow to meet a standard. Mandatory.
- Guideline — recommended best practice that offers flexibility where rigid rules are impractical. Discretionary / optional.
Why the distinction matters
The mandatory-versus-optional line is the heart of the answer. Auditors test compliance against policies, standards, and procedures because they are enforceable; guidelines exist to help judgment in situations a standard cannot fully anticipate. Keeping technology details out of policies (and pushing them into standards and baselines) means you can swap vendors or algorithms without rewriting board-approved documents.
What interviewers look for
Crisp definitions in the right order, the explicit statement that only guidelines are optional, and the insight that policies should be technology-neutral while standards and procedures carry the specifics.
Likely follow-ups
- Where do baselines fit in this hierarchy?
- Why should a policy avoid naming specific technologies or vendors?
- Who should formally approve a security policy?