Documentation types listed in order of most importance:

Policy

• Mandatory document
• Used by senior management to show that they have exercised due diligence
• Defines the scope of the required security needed by an organisation and strategically highlights the security objectives, goals and security framework
• Documents the assets that require protection and highlights the acceptable level of risk
• High-level overview of an organisations security requirements
• More than one policy can exist
• The outcome of a security policy allows an organisation:
  • to assign individuals specific roles and responsibilities
  • outline compliance requirements
  • outline audit requirements
  • outline enforcement processes

Examples of security policies: Acceptable Use Policy (AUP) or Bring Your Own Device (BYOD) Policy

Standards

• Mandatory document
• Used to define requirements for the use of software, hardware, technology and security controls
• The outcome of this document allows for the development of procedures

Baselines

• Defines the very minimal accepted levels (Baseline) of security that each system should have in an organisation

Guidelines

• Guidelines are recommendations
• Guidelines offer recommendations as to how policies and standards are implemented
• Can included suggested actions but documented actions are not compulsory

Procedures

• Sometimes referred to as Standard Operating Procedures (SOP)
• Detailed step-by-step how-to document
• Contains procedures on how to implement security controls and/or different solutions

In an effort to help one remember the order of the aforementioned documents, the image I have created below represents each document type in order of importance (top to bottom).