Security Policy Development and Implementation

What the Exam Is Really Testing

Most organizations have security policies. Almost nobody reads them.

They sit in a SharePoint library, approved two years ago, reviewed never, enforced inconsistently. Employees sign an acknowledgment on day one and forget the content by day two. When an incident occurs, someone pulls up the policy and discovers it does not cover the situation, or worse, it contradicts what people actually do.

The CISSP does not test whether you can write a policy. It tests whether you understand the hierarchy of governance documents, how they relate to each other, and what happens when the hierarchy breaks down. The exam expects you to know the difference between a policy and a standard, between a procedure and a guideline, and why that distinction matters for accountability and enforcement.

The Policy Hierarchy

Five levels, each serving a distinct purpose:

Policies sit at the top. They are high-level statements of management intent. Policies define what the organization will do and why. They are mandatory, approved by senior management or the board, and provide the authority for everything below them. A policy does not tell you how to do something — it tells you that something must be done.

Example: "All organizational data must be classified according to sensitivity and protected accordingly."

Standards define the specific requirements that implement policies. They are also mandatory. Where a policy says what must be done, a standard says to what level. Standards often reference external frameworks or industry benchmarks.

Example: "All encryption must use AES-256 or equivalent. TLS 1.2 is the minimum acceptable version for data in transit."

Procedures are step-by-step instructions for carrying out specific tasks. They are mandatory and detailed. Procedures tell you exactly how to perform an action in a repeatable way.

Example: "To request access to the financial reporting system: 1) Submit a ticket in ServiceNow, 2) Obtain manager approval, 3) Security team verifies role-based entitlements, 4) Access is provisioned within 48 hours."

Baselines define the minimum acceptable configuration or security posture for a specific system or technology. They are mandatory and measurable. Baselines provide a reference point against which compliance can be verified.

Example: "All Windows servers must have local administrator accounts disabled, Windows Firewall enabled, and CIS Benchmark Level 1 applied."

Guidelines are recommendations. They are not mandatory. Guidelines provide advice and best practices that help people make decisions when specific standards or procedures do not cover the situation.

Example: "When traveling internationally, it is recommended to use a dedicated travel laptop with minimal data and a VPN for all network connections."

The hierarchy matters because it determines enforceability. You can discipline someone for violating a policy, standard, or procedure. You cannot discipline someone for not following a guideline.

Policy Types

Three types appear on the exam:

Regulatory policies — Required by law or regulation. The organization has no choice about whether to implement them. HIPAA security policies, SOX compliance policies, and GDPR data protection policies are regulatory. Failure to maintain them creates legal liability.

Advisory policies — Strongly recommend specific behavior and outline consequences for noncompliance. Most internal security policies are advisory. An acceptable use policy that states "unauthorized software installation will result in disciplinary action" is advisory.

Informative policies — Provide information without mandating behavior. They explain organizational positions, background context, or general principles. No enforcement mechanism exists. A policy explaining the organization's commitment to sustainability in IT operations is informative.

Exam pattern: if the question asks which policy type requires compliance, the answer is regulatory (imposed by external authority) or advisory (imposed by management with consequences). Informative policies have no enforcement.

The Policy Lifecycle

Policies are not static documents. They follow a lifecycle:

1. Create — Draft the policy based on business needs, risk assessments, and legal requirements. Involve stakeholders from legal, HR, IT, operations, and business units. A policy written solely by the security team will miss business context.
2. Review — Subject matter experts and stakeholders evaluate the draft for accuracy, completeness, feasibility, and alignment with business objectives. Legal reviews for regulatory compliance. HR reviews for employment law implications.
3. Approve — Senior management or the board formally approves the policy. This step is not optional — it provides the authority behind enforcement. A policy without executive approval lacks organizational weight.
4. Distribute — Communicate the policy to all affected parties. Distribution alone is not enough — employees must acknowledge receipt and understanding. Publication on an intranet is necessary but not sufficient.
5. Enforce — Monitor compliance and apply consequences for violations consistently. Selective enforcement undermines governance. If exceptions exist, they must be formally documented.
6. Retire — When a policy is no longer relevant (the technology it addresses is decommissioned, the regulation it satisfies is repealed), formally retire it. Keeping outdated policies active creates confusion and liability.

Between steps 5 and 6, periodic review should occur. Most frameworks recommend annual review at minimum, or whenever significant changes occur (new regulations, mergers, major incidents).

Exception Management

No policy survives contact with every business scenario. Exceptions are inevitable, and the CISSP expects you to manage them properly:

• Exceptions must be formally requested and documented
• A risk assessment must accompany each exception request
• An appropriate authority must approve the exception (typically the risk owner, not the requester)
• Compensating controls should be identified when the standard control cannot be met
• Exceptions must have expiration dates and be subject to periodic review
• A central register of all active exceptions provides visibility to management

The exam tests this directly. An undocumented exception is a governance failure. An exception approved by the person requesting it is a separation-of-duties failure. An exception without a compensating control is an unmitigated risk.

Awareness and Training

A policy that nobody knows about provides no protection. The CISSP distinguishes between three levels:

Awareness — General knowledge that policies exist and matter. All employees. Delivered through onboarding, posters, emails, and periodic reminders. The goal is behavioral — people should know what is expected.

Training — Role-specific instruction on how to comply with policies and procedures. Developers receive secure coding training. Administrators receive hardening procedures. The goal is skill development.

Education — Deep understanding of security principles for professionals who design and manage security programs. Certifications, degree programs, and advanced courses. The goal is expertise.

The exam expects you to match the level to the audience. An executive needs awareness of the data classification policy. A system administrator needs training on the hardening procedure. A security architect needs education in security design principles.

Pattern Recognition

When a policy question appears:

1. Identify where in the hierarchy the document falls — is it a policy, standard, procedure, baseline, or guideline?
2. Determine if it is mandatory or advisory — policies, standards, procedures, and baselines are mandatory; guidelines are not.
3. Check the lifecycle stage — was it properly approved? Is it current? Has it been communicated?
4. Look for exception management failures — undocumented exceptions, self-approved exceptions, or exceptions without compensating controls.
5. Assess the awareness gap — does the affected party know the policy exists?

If the question describes a document that provides step-by-step instructions, it is a procedure. If it sets a minimum configuration, it is a baseline. If it recommends but does not require, it is a guideline. The exam uses these distinctions deliberately in answer choices.

Trap Patterns

• Calling guidelines mandatory — Guidelines are recommendations. If an answer says "enforce the guideline," that answer is wrong. You enforce policies, standards, and procedures.
• Confusing policies and procedures — A policy says what must be done. A procedure says how. If the question describes step-by-step instructions and calls it a "policy," look for an answer that reclassifies it correctly.
• Approving your own exception — Exceptions must be approved by the risk owner or a designated authority, not the person requesting the exception. Self-approval violates separation of duties.
• Skipping management approval — A policy drafted by the security team but not approved by senior management has no organizational authority. "We wrote it" is not the same as "leadership endorsed it."
• Treating awareness as training — Sending an email about a new policy is awareness. Teaching people how to follow the policy is training. The exam distinguishes these deliberately.

Scenario Practice

Question 1

A security team publishes a new data classification policy on the company intranet. Six months later, an employee mishandles sensitive data, claiming they never knew the policy existed.

What is the PRIMARY governance failure?

A. The policy should have been a guideline since it applies to all employees
B. The security team failed to ensure policy awareness through acknowledgment and training
C. The employee should be terminated for negligence regardless of awareness
D. The policy is invalid because it was not reviewed within 90 days

Question 2

A business unit requests an exception to the organization's encryption standard because a legacy application cannot support AES-256. The business unit manager approves the exception and implements the legacy application without further review.

What governance principle was violated?

A. Data classification
B. Separation of duties in exception approval
C. Least privilege in access management
D. Defense in depth

Question 3

An organization creates a document titled "Recommended Practices for Remote Work Security." It includes suggestions for VPN use, physical workspace security, and device management. A manager attempts to discipline an employee for not following the document.

Is the disciplinary action appropriate?

A. Yes, all security documents are enforceable once published
B. Yes, because the document was approved by management
C. No, the document is a guideline and guidelines are recommendations, not mandates
D. No, because remote work policies cannot be enforced for off-site employees

Key Takeaway

Policies set direction. Standards set the bar. Procedures explain the steps. Baselines define the floor. Guidelines offer advice.

Memorize the hierarchy, know which documents are mandatory, and understand that a policy without approval, awareness, and enforcement is just a document nobody reads.

On the exam, read the language carefully. "Must" and "shall" indicate mandatory documents. "Should" and "recommended" indicate guidelines. The distinction between those words is often the difference between the right answer and a trap.