In cybersecurity, the success of any technical control—from firewall rules to encryption keys—is predicated on clear documentation. Documentation is the administrative control (Domain 1) that translates organizational goals into actionable instructions for every employee.
For the SSCP, you must understand the hierarchy of security documentation: the top-down structure that moves from broad, philosophical statements to highly granular, technical steps.
The Four Pillars of Security Documentation
The four main types of security documentation create a continuous flow of accountability and instruction throughout the organization.
1. Policies (The “Why”)
A Policy is a high-level, mandatory statement issued by management that defines what the organization must accomplish. Policies are broad, technology-independent, and driven by business and regulatory needs.
- Role: Sets the overall security tone and goal.
- Example: “All sensitive company data, regardless of where it is stored, must be encrypted.”
- Authority: Signed and approved by executive leadership (like the CISO or CEO).
2. Standards (The “How to Achieve It”)
A Standard takes a policy statement and dictates the specific, required technologies or configurations necessary to meet that policy goal. Standards are mandatory and are focused on consistency.
- Role: Enforces uniformity across the enterprise.
- Example: If the policy mandates encryption, the standard might mandate: “All data classified as ‘Restricted’ must be encrypted using AES-256.”
- Authority: Enforced by the security management and implemented by the Data Custodians.
3. Procedures (The “Step-by-Step”)
A Procedure is a detailed, mandatory, step-by-step description of the exact actions a user or system administrator must perform to comply with a Standard. Procedures are highly granular and technology-specific.
- Role: Ensures that tasks are performed consistently every single time.
- Example: “To reset a user password (in accordance with the Password Standard), a Security Analyst must: 1) Log into the Active Directory console. 2) Search for the user’s ID. 3) Right-click and select ‘Reset Password,’ and 4) Check the ‘User Must Change Password at Next Logon’ box.”
- Authority: Followed by end-users and security Analysts (the boots-on-the-ground team).
4. Guidelines (The “Best Practice Suggestions”)
A Guideline is an optional recommendation or suggestion designed to help users and practitioners comply with the policies, standards, and procedures. They are non-mandatory and offer flexibility.
- Role: Provides helpful advice and best practice suggestions when no procedure applies.
- Example: “It is recommended that employees use a password manager to store complex credentials.”
- Authority: Advisory, typically created by the security team.
Why the Hierarchy Matters to the SSCP
Understanding this structure is crucial because it defines accountability and action:
| Document Type | Mandatory? | Scope | Focus |
| Policy | Yes | Broad/Business | Organizational goals (e.g., Confidentiality) |
| Standard | Yes | Specific/Technical | Required technologies/settings (e.g., AES-256) |
| Procedure | Yes | Detailed/Step-by-Step | Execution steps (e.g., How to backup a file) |
| Guideline | No | Advisory/Best Practice | Suggested actions (e.g., Use a privacy screen) |
This top-down approach ensures that the strategic vision of the CISO is executed flawlessly by the Security Analyst in the field.
Resources for Further Study
Reviewing these sources will help you see how different frameworks structure their security mandates, always using this hierarchical approach.
Extensive Website References
- NIST SP 800-18 Rev. 1: Guide for Developing Security Plans
- Reference: NIST SP 800-18 Security Policy vs Procedure
- Value: Provides guidance on structuring a comprehensive security program, clearly defining the interrelationship between policy, standards, and procedural documentation.
- SANS Institute: Policy Documentation Best Practices
- Reference: SANS Security Policy Template Guide
- Value: Offers practical templates and advice on the language and structure necessary for creating legally and technically sound security policies.
- ISO/IEC 27000 Series: Information Security Management Systems (ISMS)
- Reference: Search for “ISO 27001 Documentation Requirements”
- Value: The international standard mandates a documented ISMS, which necessarily relies on the strict creation of policies and procedures.
Recommended Video Resources
| Focus Area | Recommended Video Search Topic | Key Takeaway |
| The Documentation Chain | “Security Policies Standards Procedures Guidelines Explained” | A visual breakdown that shows the arrows of authority, illustrating how the Policy mandates the Standard, which in turn mandates the Procedure. |
| Practical Application | “How to Write a Security Policy vs Procedure” | Focuses on the real-world difference in tone and detail between a high-level policy document and a task-specific procedure manual. |
| Audit Importance | “Security Documentation and Compliance Audit Trails” | Explains why detailed Procedures are mandatory for audit compliance, proving that the organization is not only compliant on paper but also in practice. |