EAEbrahim AbdullaLearning SeriesCourse Home ↗
Lesson 03

Policies, Standards, Procedures and Guidelines

Turning governance intent into consistent and auditable security practice

NISTISO/IEC 27001ISO 22301SOC 2

Building a clear, enforceable and practical security governance framework

Security governance hierarchy

Cybersecurity Foundations Training Series

Learning objectives

  • Explain the purpose of policies, standards, procedures and guidelines.

  • Distinguish mandatory requirements from recommended practices.

  • Translate a high-level policy objective into measurable rules and repeatable steps.

  • Identify the governance features that make security documentation effective.

A document is effective when people understand it, owners maintain it, controls enforce it and evidence shows whether the organisation follows it.

Why governance documents matter

Security governance converts management intent into consistent decisions and repeatable work. Without clear documentation, teams interpret requirements differently, staff rely on memory and incidents receive inconsistent responses.

A useful document hierarchy answers four questions. What does the organisation require? Which measurable rules apply? How should staff complete the task? Which recommended practices help staff make better decisions?

Policy

A policy states high-level direction, principles, responsibilities and management expectations. It applies across a defined organisational scope and receives formal approval from an authorised body.

Policies should remain stable enough to guide long-term decisions, but they still need scheduled review and review after material changes, legal developments, incidents or audit findings. A policy should avoid technical detail that becomes obsolete quickly.

Standard

A standard translates policy intent into mandatory and measurable rules. Standards might define approved encryption, account review frequency, logging retention, secure configuration baselines or password requirements.

A good standard uses clear language, identifies scope and ownership, defines exceptions and refers to supporting procedures. Teams should be able to test compliance with it.

Procedure

A procedure sets out the required steps for completing a task. It identifies roles, sequence, inputs, decision points, records and escalation paths.

Procedures improve consistency. During a phishing incident, for example, a documented process helps staff preserve evidence, isolate risk, reset credentials, search for related messages, notify stakeholders and record the outcome in the correct order.

Guideline

A guideline provides recommended methods, examples and good practice. It supports judgement where more than one acceptable approach exists. Unlike a standard or a mandatory procedure, a guideline is normally advisory unless another approved document makes it compulsory.

Guidelines should never contradict mandatory requirements. They should make compliance easier and help users understand the intent behind a control.

Password documentation example

Policy statement: Organisational accounts must use secure authentication, and users must protect their credentials.

Standard statement: Password-only authentication requires an approved minimum length, compromised-password screening, protected storage and rate limiting. MFA is required for defined systems and risk levels. Routine password expiry is not required unless compromise or another defined condition exists.

Procedure: The user opens the identity portal, completes identity verification, enrols the required authenticator, tests sign-in and records completion. The service desk follows an approved recovery process when self-service recovery fails.

Guideline: Use a password manager to generate and store a unique password. Choose a long passphrase where a password manager is unavailable. Prefer a passkey or security key for high-risk access.

Policy, standard and procedure example

Figure 1. One policy objective should flow into measurable standards, procedures and supporting guidance.

Designing effective information security policies

Start with risk. Identify the assets, threats, vulnerabilities and business impact that the policy must address. A policy that omits a material risk creates false assurance.

Map legal, regulatory, contractual and internal obligations. The organisation should know which requirements apply, who interprets them and how evidence will be maintained.

Define authority and consequences. State responsibilities, approval rights, exception handling, escalation and the consequences of deliberate or repeated non-compliance. Enforcement must remain fair, documented and aligned with employment and legal requirements.

Involve affected stakeholders. Security, IT, legal, privacy, HR, operations and business owners often hold different information. Their input helps identify impractical requirements, missing dependencies and unintended operational impact.

Train and communicate. Publishing a policy is insufficient. Staff need role-based awareness, practical examples and clear access to the current approved version.

Secure visible management support. Formal approval, leadership participation and resourcing show that the policy forms part of business governance rather than an optional security preference.

Document control and assurance

Every governance document should include an owner, approver, version, effective date, review date, classification, scope and change history. Retired versions should remain controlled where retention is required.

Exceptions require defined approval, risk acceptance, compensating controls and an expiry date. Open-ended exceptions weaken the standard and hide unmanaged risk.

Compliance should be measured through audits, technical assessments, metrics, incident reviews and management reporting. Findings should lead to corrective actions, assigned owners and target dates.

Security policy lifecycle

Figure 2. Effective governance continues after approval through communication, monitoring and review.

Comparison

Document Purpose Mandatory? Typical content Example
Policy Set direction and accountability Yes Principles, scope, roles and high-level requirements Information Security Policy
Standard Define measurable rules Yes Minimum configurations, frequencies, approved methods Access Control Standard
Procedure Describe required steps Yes when approved as mandatory Tasks, roles, workflow, records and escalation User Access Revocation Procedure
Guideline Recommend good practice Normally no Examples, options and implementation advice Secure Remote Working Guideline

Quick knowledge check

1. Which document should define an approved minimum encryption configuration?

  • A. Policy

  • B. Standard

  • C. Guideline

  • D. Awareness notice

2. Which document should describe the exact steps for responding to a phishing report?

  • A. Policy

  • B. Standard

  • C. Procedure

  • D. Risk appetite

3. What normally distinguishes a guideline from a standard?

  • A. A guideline is normally advisory while a standard is mandatory

  • B. A guideline requires board approval but a standard does not

  • C. A standard contains no measurable requirements

  • D. A guideline replaces procedures

4. Why should a policy exception have an expiry date?

  • A. To avoid keeping evidence

  • B. To force periodic review and prevent open-ended risk acceptance

  • C. To remove accountability

  • D. To make the standard optional

Standards and framework alignment

This lesson uses the following frameworks as complementary references. NIST provides risk and control guidance, ISO/IEC 27001 defines requirements for an information security management system, ISO 22301 addresses business continuity, and SOC 2 evaluates service-organisation controls against the AICPA Trust Services Criteria.

Reference framework How it supports this lesson
NIST CSF 2.0 The Govern function includes policy, roles, authorities, oversight and risk management outcomes that turn security expectations into accountable practice.
ISO/IEC 27001:2022 The ISMS requires approved policy, controlled documented information, assigned responsibilities, performance evaluation and continual improvement.
ISO 22301:2019 A BCMS requires business continuity policy, controlled plans and procedures, exercise evidence, review and corrective action.
SOC 2 Trust Services Criteria SOC 2 examinations rely on defined controls, policies, responsibilities and evidence showing whether controls were suitably designed and operated.

References and further reading

1. NIST Cybersecurity Framework (CSF) 2.0, NIST CSWP 29, 2024. https://doi.org/10.6028/NIST.CSWP.29

2. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements. https://www.iso.org/standard/27001

3. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements. https://www.iso.org/standard/75106.html

4. AICPA, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy, Revised Points of Focus 2022. https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022

5. NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

Back to top ↑