CISSP-ISSMP · Question #60
Policies are considered the first and highest level of documentation, from which the lower-level elements of standards, procedures, and guidelines flow. Drag and drop each policy statement according t
The correct answer is Senior Management Statement of policy; General Organizational Policies; Functional Policies; Mandatory Standards; Recommended Guidelines; Detailed Procedures. The question tests the understanding of the hierarchical structure of organizational documentation, specifically policies, standards, procedures, and guidelines, from highest authority to most detailed implementation.
Question
Exhibit
Answer Area
Drag items
Correct arrangement
- Senior Management Statement of policy
- General Organizational Policies
- Functional Policies
- Mandatory Standards
- Recommended Guidelines
- Detailed Procedures
Explanation
The question tests the understanding of the hierarchical structure of organizational documentation, specifically policies, standards, procedures, and guidelines, from highest authority to most detailed implementation.
Approach. The correct interaction is to drag and drop each policy statement into the corresponding 'Drop Here' box based on its hierarchical level, from the broadest and highest authority at the top to the most detailed and lowest authority at the bottom. This hierarchy is commonly applied in IT governance and information security frameworks:
- Senior Management Statement of policy: Drag this to the topmost 'Drop Here' box. This represents the highest level of commitment and strategic direction from executive leadership, setting the overall tone and direction for the organization.
- General Organizational Policies: Drag this to the second 'Drop Here' box. These are broad policies that apply across the entire organization, translating the senior management's strategic intent into general rules.
- Functional Policies: Drag this to the third 'Drop Here' box. These policies are more specific, applying to particular departments, functions, or areas (e.g., IT security, HR), aligning with the general organizational policies but providing more focused guidance.
- Mandatory Standards: Drag this to the fourth 'Drop Here' box. Standards provide specific, mandatory requirements and technical specifications for implementing policies, detailing 'how' something must be done to comply.
- Detailed Procedures: Drag this to the fifth 'Drop Here' box. Procedures offer step-by-step instructions on how to perform specific tasks to meet the defined standards and policies, providing actionable guidance for execution.
- Recommended Guidelines: Drag this to the bottommost 'Drop Here' box. Guidelines are advisory recommendations or best practices, offering flexibility and suggestions rather than strict requirements, often used to aid in compliance with procedures and standards.
Common mistakes.
- common_mistake. A common mistake is confusing the hierarchy levels, especially between policies, standards, procedures, and guidelines, or incorrectly ordering the different types of policies. For instance, placing 'Detailed Procedures' above 'Mandatory Standards' would be incorrect because procedures are the step-by-step implementation of standards, which in turn define how to achieve policies. Similarly, mixing up the levels of policies - like placing 'Functional Policies' above 'General Organizational Policies' - is wrong because general policies have a broader scope. Another error would be placing 'Recommended Guidelines' at a higher level than 'Mandatory Standards' or 'Detailed Procedures', as guidelines are suggestions and less authoritative than required standards or specific procedures. Incorrectly assigning the highest position to a specific policy type (like 'Functional Policies') instead of the overarching 'Senior Management Statement of policy' would also be a common error, as the senior management statement sets the overall strategic direction for all subsequent documentation.
Concept tested. The core concept tested is the hierarchical structure and relationship of organizational documentation, specifically policies, standards, procedures, and guidelines (P-S-P-G), in an IT governance, information security, or general organizational management context.
Topics
Community Discussion
No community discussion yet for this question.
