ELI5: What are Policies, Standards, Baselines, Guidelines, and Procedures?
Policies are the big rules (“be safe online”). Standards say exactly how (“use this type of lock”). Baselines are the minimum settings. Guidelines are helpful suggestions. Procedures are step-by-step instructions. Together, they go from general to specific.
Definition
The governance documentation hierarchy represents a structured approach to security governance, ranging from high-level mandatory directives down to specific flexible guidance. Policies are high-level mandatory statements of direction (e.g., “All data must be encrypted”). Standards are specific mandatory requirements that implement policies (e.g., “AES-256 must be used for data at rest”). Baselines are minimum security configurations. Guidelines are recommended (non-mandatory) best practices. Procedures are step-by-step instructions for performing specific tasks.
Key Details
- Policy: mandatory, broad, management-approved; the “what and why” (e.g., Acceptable Use Policy)
- Standard: mandatory, specific, technical or administrative; the “what exactly” (e.g., password complexity requirements)
- Baseline: minimum security configuration for a system type; the floor (e.g., CIS Benchmark for Windows)
- Guideline: recommended but optional; the “how to” advice (e.g., best practices for email security)
- Procedure: step-by-step instructions; the “how to do it specifically” (e.g., incident response runbook)
- Exam tip: the hierarchy is often tested — policies are mandatory and broad; guidelines are flexible and advisory
Connections
- Parent: governance — this hierarchy is the structural foundation of security governance documentation
- See also: policy-lifecycle
- See also: centralized-vs-decentralized-governance