Security Policy, Standards, Procedures, Baseline, and Guidelines | CISSP Domain 1

CISSP Domain 1 Policy Standards Procedures Baselines

Concept Focus

This governance stack translates business security direction into operational behavior. The article frames it cleanly: policy is the compass, standards and baselines are the guardrails, procedures are the road signs, and guidelines are the driving tips. :contentReference[oaicite:2]{index=2}

Core exam point: these artifacts are hierarchical and serve different purposes. Confusing them is a common CISSP mistake. :contentReference[oaicite:3]{index=3}

Security Policy

Policy captures senior management intent and strategic direction. It is reviewed and approved at leadership level, defines responsibilities and roles, outlines audit and enforcement expectations, sets compliance expectations, and establishes acceptable risk levels. It is mandatory. :contentReference[oaicite:4]{index=4}

Neuromesh Example — Password Policy

All accounts must meet password length and complexity requirements, and privileged accounts must use MFA. :contentReference[oaicite:5]{index=5}

Standards

Standards define what is required to implement policy. They are mandatory technical specifications, often tied to hardware or software choices, and help drive uniformity across departments while reducing total cost of ownership and supporting disaster recovery objectives. :contentReference[oaicite:6]{index=6}

Neuromesh Example — Secure Email Standard

All outbound emails containing confidential data must be encrypted using approved tools. :contentReference[oaicite:7]{index=7}

Procedures

Procedures are step-by-step mandatory instructions for implementing policy and standards. Their purpose is consistency and accountability in execution. :contentReference[oaicite:8]{index=8}

Neuromesh Example — Offboarding Procedure

IT must disable accounts, deactivate building access, and recover issued devices within a defined time window after employee exit. :contentReference[oaicite:9]{index=9}

Baselines

A baseline defines the uniform minimum acceptable security level used to implement a standard. It is commonly a technical hardening configuration, and exceptions require senior management sign-off. :contentReference[oaicite:10]{index=10}

Neuromesh Example — Windows 11 Security Baseline

BitLocker enabled, SMBv1 disabled, and an account lockout threshold configured. :contentReference[oaicite:11]{index=11}

Guidelines

Guidelines are optional recommendations and best practices. They help people comply more effectively, but they are not mandatory in the same way policy, standards, procedures, and baselines are. :contentReference[oaicite:12]{index=12}

Neuromesh Example — Workstation Security Guideline

Use passphrases, lock your screen when away, and follow practical workstation hygiene recommendations. :contentReference[oaicite:13]{index=13}

Types of Policy

The article distinguishes between three common policy categories:

Corporate-specific: enterprise-wide security policy
System-specific: policy for a given platform or system
Issue-specific: policy targeting a particular topic such as social media or acceptable use :contentReference[oaicite:14]{index=14}

Sample Governance Documents

Sample Policy — Password Policy

Enterprise intent around password rules and MFA requirements belongs at policy level because it expresses mandatory organizational direction. :contentReference[oaicite:15]{index=15}

Sample Standard — Secure Email Standard

All confidential emails must use TLS encryption.
Attachments are scanned by DLP before sending.
Personal email accounts are not used for company work. :contentReference[oaicite:16]{index=16}

Sample Baseline — Windows 11 Baseline

Enable BitLocker.
Disable SMBv1.
Require MFA on login. :contentReference[oaicite:17]{index=17}

Sample Procedure — Offboarding

HR notifies IT of exit date.
Disable accounts in AD.
Revoke VPN and application access.
Recover laptops, phones, and badges. :contentReference[oaicite:18]{index=18}

Sample Guideline — New Employee Security Checklist

Use company VPN on public networks.
Avoid storing files locally on laptops.
Report suspicious emails immediately. :contentReference[oaicite:19]{index=19}

Brain Ticklers

Q1. Neuromesh mandates MFA for all admins in its password policy. Which governance artifact is this?

Think: leadership intent and mandatory enterprise direction. :contentReference[oaicite:20]{index=20}

Q2. Neuromesh has a Windows 11 configuration checklist ensuring BitLocker and MFA are enabled. What is it?

Think: minimum technical configuration. :contentReference[oaicite:21]{index=21}

Q3. A document with step-by-step actions for disabling accounts during offboarding is what artifact?

Think: execution sequence, not strategic direction. :contentReference[oaicite:22]{index=22}

Q4. “Best ways to create strong passphrases” published with no enforcement belongs to which category?

Think: recommended, optional help. :contentReference[oaicite:23]{index=23}

Q5. “All confidential emails must be encrypted using TLS” falls under which artifact?

Think: specific mandatory technical requirement. :contentReference[oaicite:24]{index=24}

Home CISSP Hub Domain Index