nerdexam
(ISC)2

CISSP · Question #1171

What is the MOST appropriate hierarchy of documents when implementing a security program?

The correct answer is A. Organization principle, policy, standard, guideline. Security programs follow a top-down document hierarchy where broad principles drive specific controls. The correct order flows from high-level organizational intent down to actionable technical specifications.

Submitted by anna_se· Mar 5, 2026Security and Risk Management

Question

What is the MOST appropriate hierarchy of documents when implementing a security program?

Options

  • AOrganization principle, policy, standard, guideline
  • BPolicy, organization principle, standard, guideline
  • CStandard, policy, organization principle, guideline
  • DOrganization principle, guideline, policy, standard

How the community answered

(47 responses)
  • A
    94% (44)
  • B
    4% (2)
  • D
    2% (1)

Why each option

Security programs follow a top-down document hierarchy where broad principles drive specific controls. The correct order flows from high-level organizational intent down to actionable technical specifications.

AOrganization principle, policy, standard, guidelineCorrect

The correct hierarchy begins with Organization Principles (high-level mission/values driving security intent), followed by Policy (mandatory rules derived from principles), then Standards (specific mandatory technical or procedural requirements that implement policy), and finally Guidelines (recommended but optional best practices). This top-down structure ensures that granular controls trace back to organizational intent, providing accountability and consistency across the security program.

BPolicy, organization principle, standard, guideline

This answer incorrectly places Policy before Organization Principles, but policies must be derived from and justified by overarching organizational principles, not the other way around.

CStandard, policy, organization principle, guideline

This answer places Standards at the top of the hierarchy, which is incorrect because standards are specific mandatory requirements that exist to implement policies, not to define organizational direction.

DOrganization principle, guideline, policy, standard

This answer incorrectly elevates Guidelines above Policy and Standards; guidelines are the least authoritative documents in the hierarchy as they are optional recommendations, not mandatory directives.

Concept tested: Security program document hierarchy and governance structure

Source: https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final

Topics

#security policy#standards and guidelines#documentation hierarchy

Community Discussion

No community discussion yet for this question.

Full CISSP Practice