Policy Hierarchy

Policy Hierarchy Explained

Policies:  Think of information security policies as the specifications or goals of the various aspects of the security program.  Policies should specify what is being protected, who is accountable, but not HOW the specified tasks are performed.

Standards:  Standards define mandatory and minimum mechanisms associated with specific policies (e.g. remediation timelines).

Baselines:  Baselines represent measurable/verifiable minimum levels of security (e.g. configurations).

Guidelines:  These are authoritative methodologies and recommendations (e.g. password hygiene).

Procedures:  Describe exactly HOW to implement policies and standards/baselines (e.g. incident response, access control).  Usually procedures are documented as Standard Operating Procedures (SOP's).