CISSP · Question #1171
What is the MOST appropriate hierarchy of documents when implementing a security program?
The correct answer is A. Organization principle, policy, standard, guideline. Security programs follow a top-down document hierarchy where broad principles drive specific controls. The correct order flows from high-level organizational intent down to actionable technical specifications.
Question
What is the MOST appropriate hierarchy of documents when implementing a security program?
Options
- AOrganization principle, policy, standard, guideline
- BPolicy, organization principle, standard, guideline
- CStandard, policy, organization principle, guideline
- DOrganization principle, guideline, policy, standard
How the community answered
(47 responses)- A94% (44)
- B4% (2)
- D2% (1)
Why each option
Security programs follow a top-down document hierarchy where broad principles drive specific controls. The correct order flows from high-level organizational intent down to actionable technical specifications.
The correct hierarchy begins with Organization Principles (high-level mission/values driving security intent), followed by Policy (mandatory rules derived from principles), then Standards (specific mandatory technical or procedural requirements that implement policy), and finally Guidelines (recommended but optional best practices). This top-down structure ensures that granular controls trace back to organizational intent, providing accountability and consistency across the security program.
This answer incorrectly places Policy before Organization Principles, but policies must be derived from and justified by overarching organizational principles, not the other way around.
This answer places Standards at the top of the hierarchy, which is incorrect because standards are specific mandatory requirements that exist to implement policies, not to define organizational direction.
This answer incorrectly elevates Guidelines above Policy and Standards; guidelines are the least authoritative documents in the hierarchy as they are optional recommendations, not mandatory directives.
Concept tested: Security program document hierarchy and governance structure
Source: https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.