CISSP-ISSEP · Question #155
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of policies? Each correct a
The correct answer is A. Regulatory B. Advisory D. Informative. Security policies are commonly categorized into three recognized types: Regulatory policies (A) ensure compliance with laws and industry regulations; Advisory policies (B) strongly recommend behaviors and outline consequences for non-compliance, though they aren't mandatory; and
Question
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of policies? Each correct answer represents a complete solution. Choose all that apply.
Options
- ARegulatory
- BAdvisory
- CSystematic
- DInformative
How the community answered
(30 responses)- A90% (27)
- C10% (3)
Explanation
Security policies are commonly categorized into three recognized types: Regulatory policies (A) ensure compliance with laws and industry regulations; Advisory policies (B) strongly recommend behaviors and outline consequences for non-compliance, though they aren't mandatory; and Informative policies (D) educate users and staff without enforcement intent - they exist purely to share knowledge.
Why C is wrong: "Systematic" is not a recognized category of security policy. It's a plausible-sounding distractor, but no standard security framework (CISSP, CompTIA Security+, ISO 27001) defines it as a policy type.
Memory tip: Use the acronym RAI - Regulatory, Advisory, Informative. Think of them on a spectrum from must follow (Regulatory) → should follow (Advisory) → just know this (Informative). If you see "Systematic" on an exam, it's always the trap.
Topics
Community Discussion
No community discussion yet for this question.